11

I have an NGINX server with PHP (let's assume a hostname of http://myserver.com). I have a PHP script that I'm accessing via XHR from a web page on my localhost. I'm using it as a GeoIP server similar to freegeoip.net.

I'm trying to lock down XHR to specific domains.

Here's my config setup:

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

    fastcgi_param GEOIP_COUNTRY_CODE $geoip2_data_country_code;
    fastcgi_param GEOIP_COUNTRY_NAME $geoip2_data_country_name;
    fastcgi_param GEOIP_COUNTRY_GEONAME_ID $geoip2_data_country_geoname_id;
    fastcgi_param GEOIP_CITY_NAME $geoip2_data_city_name;
    fastcgi_param GEOIP_CITY_GEONAME_ID $geoip2_data_city_geoname_id;
    fastcgi_param GEOIP_CONTINENT_CODE $geoip2_data_city_continent_code;
    fastcgi_param GEOIP_CONTINENT_GEONAME_ID $geoip2_data_city_continent_geoname_id;
    fastcgi_param GEOIP_LATITUDE $geoip2_data_city_location_latitude;
    fastcgi_param GEOIP_LONGITUDE $geoip2_data_city_location_longitude;
    fastcgi_param GEOIP_TIME_ZONE $geoip2_data_city_location_timezone;
    fastcgi_param GEOIP_ISP $geoip2_data_city_traits_isp;
    fastcgi_param GEOIP_IP_ADDRESS $geoip2_data_city_traits_ip_address;

    set $cors "";

    if ($http_origin ~* 'https?://(www\.domain1\.com|www\.domain2\.com)')
    {
        set $cors "true";
    }

    if ($cors = 'true')
    {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,Pragma,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
    }

    if ($request_method = 'OPTIONS')
    {
        return 204;
    }
}

The issue I'm having is that when I execute the XHR request, I get the following error:

XMLHttpRequest cannot load http://myserver.com/. The 'Access-Control-Allow-Origin' header contains multiple values '*, http://localhost', but only one is allowed. Origin 'http://localhost' is therefore not allowed access.

I have only one call to add_header 'Access-Control-Allow-Origin' "$http_origin"; in the config file, so why do I have the multiple values? Is there a way I can disable the first call i.e. *?

ObiHill
  • 11,448
  • 20
  • 86
  • 135

2 Answers2

9

1.) Have the application dynamically approve and add the response header.

$allowed_domains = ['http://allowed.com','http://another_allowed.com'];

function add_cors_header() {
    if (in_array($_SERVER['http_origin'], $allowed_domains)) {
        header('Access-Control-Allow-Origin', $_SERVER['http_origin']);
    }
}

2.) Or install the OpenResty version of Nginx with Lua enabled and do the same, but with Lua in the Nginx conf file.

chasez0r
  • 544
  • 5
  • 18
  • Very smart solution! This solution of yours should be boosted more as many people think that CORS only allows one or all domains, and not just selected domains. – itoctopus Nov 26 '20 at 19:15
  • 1
    Suggested code looks promising. plz suggest with sample code that allow http & https both. Also sample code of nginx, so that easy to understand code because I am new to nginx. – dinu0101 Dec 18 '20 at 11:16
  • Yes, for newbies this is a bit hard to put into practice, can you show where this function should be defined, etc. ? Thanks. – Will59 Oct 10 '22 at 07:39
6

So the mistake I made was that I had the following in my PHP file:

header('Access-Control-Allow-Origin: *');

I had set it up earlier and just forgot to take it out.

Everything works great now.

ObiHill
  • 11,448
  • 20
  • 86
  • 135