Skip to content

Instantly share code, notes, and snippets.

@nasrulhazim
Last active November 5, 2024 12:03
Show Gist options
  • Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Setting Up CORS in HAProxy
frontend localnodes
    bind *:80
    reqadd X-Forwarded-Proto:\ http

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps

frontend localnodes-https
    # Certificate
    bind *:443 ssl crt /etc/ssl/private/domain_com.pem
    reqadd X-Forwarded-Proto:\ https

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps
        
backend backend_apps
    # Force HTTPS
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    redirect scheme https if !{ ssl_fc }
    server App1 192.168.1.201:80 check
    server App2 192.168.1.202:80 check
    server App3 192.168.1.203:80 check
    server App4 192.168.1.204:80 check
    server App5 192.168.1.205:80 check
@csaltos
Copy link

csaltos commented Apr 5, 2021

If you do this you screw the whole security concept of CORS ... please just add the origins you actually allow (instead of opening the door wide open with the capture origin header)

@lafada
Copy link

lafada commented Sep 7, 2021

Anyone get the solution with backend and authentication as true?

@vishalk663
Copy link

vishalk663 commented Sep 14, 2021

using the above configuration we getting the below error

Access-Control-Allow-Origin contains muliple headers. but only one is allowed

we using this configuration in haproxy

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps

@akshatkalkhanda
Copy link

Need this type of configuration for HAProxy version 2.4.12-4b7772e 2022/01/11.

As above configuration is working for me on HaProxy Version 1.5,1.8.

BUt after upgrading Haproxy to 2.4 its not working.

@nicovs
Copy link

nicovs commented Mar 31, 2022

@akshatkalkhanda , might be a little late, but:

    capture request header origin len 128
    http-response set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Headers "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Methods "GET, HEAD, OPTIONS, POST, PUT" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Credentials true if { capture.req.hdr(0) -m found }

    http-response set-header Strict-Transport-Security max-age=15768000 if { ssl_fc }
    http-response set-header X-Frame-Options "SAMEORIGIN"
    http-response set-header X-Xss-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment