0

I recently changed to having a different host for my api and frotnned.

https://frontend.com > axios: https://api.com/endpoint

And now none of my api calls are working. I have played around with my CORS setting for a while but cannot get it to work. I am also using Cloudflare and Origin generated certs from Cloudflare.

// SET UP CORS
app.use(function (request, response, next) {
  response.header("Access-Control-Allow-Origin", "*");
  // response.header("Access-Control-Allow-Methods", "GET, POST");
  response.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
  next();
});

The error:

Access to XMLHttpRequest at 'https://api.com/endpoint/login' from origin 'https://frontend.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

I am using NGINX in front of node as follows:

Front End:

server {
  ## HTTPS
  listen 443 ssl;
  listen [::]:443 ssl;

  ## TIMEOUTS
  proxy_read_timeout 600;
  proxy_connect_timeout 600;
  proxy_send_timeout 600;

  ## SSL CONFIGURATION
  ssl_certificate /etc/ssl/my.pem;
  ssl_certificate_key /etc/ssl/my.key;
  # ssl_client_certificate /etc/ssl/cloudflare.crt;
  # ssl_verify_client on;

  ## LISTEN FOR THESE HOSTNAMES
  server_name frontend.com;

  ## HEADERS
  add_header Cache-Control no-cache;

  ## CONTENT LOCATION
  location / {
    expires -1;
    root /var/www/XXXX/XXXX;
    index index.html;
    try_files $uri $uri/ =404;
  }

  ## ERROR PAGE LOCATION
  error_page 404 /404.html;
  location = /404.html {
    root /var/www/XXXX/XXXX/404;
    internal;
  }

  ## DENY REQUESTS STARTING WITH ht (htaccess, htgroup, htusers)
  location ~ /\.ht {
    deny all;
  }
}

API:

server {
  ## HTTPS
  listen 443 ssl;
  listen [::]:443 ssl;

  ## TIMEOUTS
  proxy_read_timeout 600;
  proxy_connect_timeout 600;
  proxy_send_timeout 600;

  ## SSL CONFIGURATION
  ssl_certificate /etc/ssl/my.pem;
  ssl_certificate_key /etc/ssl/my.key;
  # ssl_client_certificate /etc/ssl/cloudflare.crt;
  # ssl_verify_client on;

  ## LISTEN FOR THESE HOSTNAMES
  server_name api.com;

  ## HEADERS
  add_header Cache-Control no-cache;

  ## CONTENT LOCATION
  location /bridge {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_pass http://localhost:3001/;
    proxy_redirect off;
  }

  location /auth {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_pass http://localhost:3002/;
    proxy_redirect off;
  }

  location /issue {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_pass http://localhost:3003/;
    proxy_redirect off;
  }

  ## ERROR PAGE LOCATION
  error_page 404 /404.html;
  location = /404.html {
    root /var/www/XXXX/XXXX/404;
    internal;
  }

  ## DENY REQUESTS STARTING WITH ht (htaccess, htgroup, htusers)
  location ~ /\.ht {
    deny all;
  }
}
alphadmon
  • 396
  • 4
  • 17
  • 1
    There's more to CORS than just adding `Access-Control-Allow-*` response headers. Just use the `cors()` middleware instead of trying to do it yourself – Phil Oct 20 '22 at 05:43

0 Answers0