Skip to content

Instantly share code, notes, and snippets.

@bravepickle

bravepickle/cors.nginx.conf

Last active February 25, 2021 23:10
Show Gist options
  • Save bravepickle/652e636801f7e50ab04c217b5ec4e3ff to your computer and use it in GitHub Desktop.
Save bravepickle/652e636801f7e50ab04c217b5ec4e3ff to your computer and use it in GitHub Desktop.
Download ZIP
CORS config for handling in NGINX
Raw
cors.nginx.conf
# Handling CORS headers for handling cross-origin requests example
# See https://developer.mozilla.org/en/docs/Web/HTTP/CORS
# TODO: check if origin is set. If missing then do not add CORS headers
# TODO: handle ports in origin
# check if origin header is among allowed ones
map $http_origin $cors_origin {
hostnames;
# all domains and subdomains for my-site.com or *.my-site.com can request contents
# E.g. www.my-site.com can request data from api.my-site.com
.my-site.com $http_origin;
'http://api.my-site.com:7777' $http_origin; # handle non-standard port
# add more domains where non-standard port usage is expected...
# fallback otherwise
default www.my-site.com; # my canonical host name
# in developer mode use next line instead of previous one
# default '*'; # allow all cross-origin requests. Not for production!
}
# check if CORS "simple request" (it does not require preflight requests) is done that we support
map $request_method $cors_is_simple_request {
'GET' 1;
'POST' 1;
'HEAD' 1;
default 0; # not simple request or not suppported by application method
}
server {
listen 80;
listen 7777; # non-standard port. May be used in development see handling above
server_name my-site.com www.my-site.com api.my-site.com; # use the same host as docker container app
root /var/www/site.com;
access_log /var/log/nginx/my-site.access.log;
error_log /var/log/nginx/my-site.error.log notice;
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# handling static files - js, css, png...
location /static/ {
# processing preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $cors_origin;
add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'OPTIONS, GET, HEAD';
# specify allowed headers for passing over request from client to server
add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control';
# add extra headers to preflight response to cache results for some time
add_header 'Access-Control-Max-Age' 86400;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
# indicate that responses may vary based on these provided headers
add_header 'Vary' 'Accept-Encoding, Origin';
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
return 204;
}
# handling simple requests that are not preflighted
if ($cors_is_simple_request) {
add_header 'Access-Control-Allow-Origin' $cors_origin;
add_header 'Access-Control-Allow-Credentials' 'false';
add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET';
add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control';
add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range';
add_header 'Vary' 'Accept-Encoding, Origin';
# add more CORS headers here and other blocks...
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
}
}
# handling dynamic files - with cgi
# see https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
location / {
# processing preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $cors_origin;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'OPTIONS, GET, HEAD, POST, PUT, DELETE, PATCH';
# specify allowed headers for passing over request from client to server
add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization';
# add extra headers to preflight response to cache results for some time
add_header 'Access-Control-Max-Age' 86400;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
# indicate that responses may vary based on these provided headers
add_header 'Vary' 'Accept-Encoding, Origin';
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
return 204;
}
error_page 418 = @cors;
recursive_error_pages on;
# handling simple requests that are not preflighted
if ($cors_is_simple_request) {
# otherwise this if-block will break php forworing for try_files
return 418;
}
try_files $uri /index.php$is_args$args;
}
location @cors {
# Flag "always" will force headers to return with disregard to response status code
# will show headers only if files exist in given file system - see try_files
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE, PATCH' always;
add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
add_header 'Vary' 'Accept-Encoding, Origin' always;
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
try_files $uri /index.php$is_args$args;
internal;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass btc-php:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/index.php/some-path
# Remove the internal directive to allow URIs like this
internal;
if ($cors_is_simple_request) {
# Flag "always" will force headers to return with disregard to response status code
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE, PATCH' always;
add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always;
add_header 'Vary' 'Accept-Encoding, Origin' always;
# add optional headers...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
}
}
location ~ /\.(?!well-known).* {
deny all;
}
location ~* \.(tpl|inc|sql)$ {
deny all;
}
location ~ /\.git {
deny all;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
# ... put your regular web host configs
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment