I have made a single page web application that utilizes elasticsearch and requires that the user have CORS enabled and I was wondering what I could do to make the web application not require that the user have CORS enabled.
Asked
Active
Viewed 1,167 times
1 Answers
1
Every current browser forces the CORS verification, and they cannot be disabled on the level of a single website.
You need to add Access-Control-* headers which inform your browser it can make a safe connection.
1. If you are making connections directly to the ElasticSearch:
You will need to modify your elasticsearch.yml file. Add keys below to the configuration file and restart your server:
http.cors.enabled: true
http.cors.allow-origin: /https?:\/\/localhost(:[0-9]+)?/
These keys enable sending proper headers to the client and allow browsers to establish connections. Remember to change the http.cors.allow-origin regex to be valid with your domain if you run the server outside localhost.
More details and additional settings you can find in ElasticSearch documentation
2. If you are using reverse proxy (e.g. Nginx)
You can also add the required headers on the reverse proxy level. Unlike the previous method, in this case, you need to set all the necessary headers by yourself to make the connection happen.
Basic configuration for Nginx server used as the reverse proxy:
server {
listen 80;
server_name elasticsearch.example.com;
location / {
proxy_pass http://127.0.0.1:9200;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_add_header 'Access-Control-Allow-Origin' 'http://example.com';
proxy_add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE';
proxy_add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Content-Length';
if ($request_method = 'OPTIONS') {
return 200;
}
}
}
If you want (e.g. for development purposes) to disable CORS validation on your browser, you can also do it. However, before you do that, please be aware of all the risks.
Disabling CORS checking in Google Chrome:
You need to run Google Chrome with the following arguments: --disable-web-security --user-data-dir.
Windows and Linux users
$ [Chrome executable path] --disable-web-security --user-data-dir
Mac OS users
$ open /Applications/Google\ Chrome.app --args --disable-web-security --user-data-dir
Disabling CORS checking in Safari:
Enable Safari Developer Menu
Go to Safari -> Preferences -> Advanced and select Show Developer Menu in menu bar
Open Developer menu in menu bar
Select Disable Cross-Origin Restrictions
Disabling CORS checking in Firefox
Community
- 1
- 1
Tomasz Kajtoch
- 632
- 7
- 18
-
I'm still having the same issue after modifying the elasticsearch file. I can get it to work on my local network, but not outside of my local network. I'm using a simple node http-server with cors enabled. – Camilo Riviere Apr 23 '17 at 18:55
-
@CamiloRiviere did you modified the `http.cors.allow-origin` to match origins outside your local machine? – Tomasz Kajtoch Apr 23 '17 at 19:51
-
I followed the regex you posted above. "/https?:\/\/localhost(:[0-9]+)?/" and even removed "localhost" from the regex to see if that work, but it didn't. Is there a different regex that I need to use to able to connect from a remote machine? – Camilo Riviere Apr 23 '17 at 22:42
-
1@CamiloRiviere You need to provide a regex that allows your remote domain to connect. For example, if you have a domain `example.com`, you'll need to set the `http.cors.allow-origin` to `/https?:\/\/(?:.+\.)?example.com(:[0-9]+)?/` which will allow to connect from `example.com` domain and all its subdomains from any port (e.g. `http://example.com` and `https://test.example.com:8080`) – Tomasz Kajtoch Apr 24 '17 at 07:24
-
Ah, I see. So this would be easier if I actually host this web application somewhere then? – Camilo Riviere Apr 24 '17 at 14:14