frontend localnodes
bind *:80
reqadd X-Forwarded-Proto:\ http
# Add CORS headers when Origin header is present
capture request header origin len 128
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found }
default_backend backend_apps
frontend localnodes-https
# Certificate
bind *:443 ssl crt /etc/ssl/private/domain_com.pem
reqadd X-Forwarded-Proto:\ https
# Add CORS headers when Origin header is present
capture request header origin len 128
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found }
default_backend backend_apps
backend backend_apps
# Force HTTPS
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
server App1 192.168.1.201:80 check
server App2 192.168.1.202:80 check
server App3 192.168.1.203:80 check
server App4 192.168.1.204:80 check
server App5 192.168.1.205:80 check
Last active
November 5, 2024 12:03
-
-
Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Setting Up CORS in HAProxy
If you do this you screw the whole security concept of CORS ... please just add the origins you actually allow (instead of opening the door wide open with the capture origin header)
Anyone get the solution with backend
and authentication
as true
?
using the above configuration we getting the below error
Access-Control-Allow-Origin contains muliple headers. but only one is allowed
we using this configuration in haproxy
# Add CORS headers when Origin header is present
capture request header origin len 128
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Credentials:\ true if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization if { capture.req.hdr(0) -m found }
default_backend backend_apps
Need this type of configuration for HAProxy version 2.4.12-4b7772e 2022/01/11.
As above configuration is working for me on HaProxy Version 1.5,1.8.
BUt after upgrading Haproxy to 2.4 its not working.
@akshatkalkhanda , might be a little late, but:
capture request header origin len 128
http-response set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
http-response set-header Access-Control-Allow-Headers "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization" if { capture.req.hdr(0) -m found }
http-response set-header Access-Control-Allow-Methods "GET, HEAD, OPTIONS, POST, PUT" if { capture.req.hdr(0) -m found }
http-response set-header Access-Control-Allow-Credentials true if { capture.req.hdr(0) -m found }
http-response set-header Strict-Transport-Security max-age=15768000 if { ssl_fc }
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Xss-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you are using the wildcard ( * ) in the header, please be aware if you are using authentication, then is not allowed. Then the domain has to be exact. If what you are developing is public and with no authentication, use the wildcard. Otherwise: be cautious :)