1

I'm new in Apache server configuration, now I try to enable CORS.

With follow setting in httpd.conf, CORS can work properly.

<VirtualHost *:80>
    DocumentRoot /var/www/html/
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]

    Header always set Access-Control-Allow-Origin "http://example.com"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Allow-Headers: "Content-Type"
</VirtualHost>

But current server always set Access-Control-Allow-xxx header to all coming request (Both Pre-flight OPTIONS request and actual request).

I only want to add Access-Control-Allow-xxx header for Pre-light request from setting origin (http://example.com), have any way to config for it?

I've read this question, and setenvif manual, but I can't find any option that I can extract Origin info from the request.

I will be grateful for any help you can provide.

zaqxsw
  • 31
  • 6
  • You mean you only want to respond with those headers, if the `Origin` header of the request is `http://example.com`? – CBroe Mar 29 '18 at 08:23
  • Thanks CBroe for your quickly reply. > You mean you only want to respond with those headers, if the Origin header of the request is http://example.com? => Yes. It's exactly what I want. I also read above article but it only set condition by request_url. I can't find any option to check Origin header of the request. – zaqxsw Mar 29 '18 at 08:27
  • Well that’s the part where you go read up on the `SetEnvIf` directive in the manual then, right? http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif – CBroe Mar 29 '18 at 08:31
  • Yep. absolutely I also read it too. As manual, the `attribute ` of `SetEnvIf` have `Remote_Host, Remote_Addr, Server_Addr, Request_Method, Request_Protocol, Request_URI`. There is no option that I can extract `Origin` info from request. – zaqxsw Mar 29 '18 at 08:37
  • Read it again. `The attribute specified in the first argument can be one of three things:` The first one covers your scenario – arco444 Mar 29 '18 at 08:49
  • _“An HTTP request header field (see RFC2616 for more information about these); for example: `Host`, `User-Agent`, `Referer`, and `Accept-Language`.”_ – CBroe Mar 29 '18 at 09:00
  • Thanks for remind. With `SetEnvIf Origin http://example.com SIGN` I can control these header was added or didn't. Thanks for all your help. – zaqxsw Mar 29 '18 at 09:15

1 Answers1

1

As SetEnvIf document, attribute in SetEnvIf attribute regex [!]env-variable syntax, can be An HTTP request header field (see RFC2616 for more information about these); for example: Host, User-Agent, Referer, and Accept-Language.

So I can resolve with below config.

<VirtualHost *:80>
    DocumentRoot /var/www/html/
    SetEnvIf Origin "^http://fiddle.jshell.net$" ORIGIN_COND

    Header always set Access-Control-Allow-Origin "http://example.com" env=ORIGIN_COND
    ...   
</VirtualHost>

Thanks @CRroe and @arco444 make me clearly.

zaqxsw
  • 31
  • 6