-
-
Save vbguard/90a0c5569a4b40e8d3da1583b0037985 to your computer and use it in GitHub Desktop.
Nginx configuration for CORS-enabled HTTPS proxy with origin white-list defined by a simple regex
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Acts as a nginx HTTPS proxy server | |
| # enabling CORS only to domains matched by regex | |
| # /https?://.*\.mckinsey\.com(:[0-9]+)?)/ | |
| # | |
| # Based on: | |
| # * http://blog.themillhousegroup.com/2013/05/nginx-as-cors-enabled-https-proxy.html | |
| # * http://enable-cors.org/server_nginx.html | |
| # | |
| server { | |
| listen 443 default_server ssl; | |
| server_name localhost; | |
| # Fake certs - fine for development purposes :-) | |
| ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; | |
| ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; | |
| ssl_session_timeout 5m; | |
| location / { | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| # Nginx doesn't support nested If statements, so we | |
| # concatenate compound conditions on the $cors variable | |
| # and process later | |
| # If request comes from allowed subdomain | |
| # (*.mckinsey.com) then we enable CORS | |
| if ($http_origin ~* (https?://.*\.mckinsey\.com(:[0-9]+)?$)) { | |
| set $cors "1"; | |
| } | |
| # OPTIONS indicates a CORS pre-flight request | |
| if ($request_method = 'OPTIONS') { | |
| set $cors "${cors}o"; | |
| } | |
| # Append CORS headers to any request from | |
| # allowed CORS domain, except OPTIONS | |
| if ($cors = "1") { | |
| more_set_headers 'Access-Control-Allow-Origin: $http_origin'; | |
| more_set_headers 'Access-Control-Allow-Credentials: true'; | |
| proxy_pass http://serverIP:serverPort; | |
| } | |
| # OPTIONS (pre-flight) request from allowed | |
| # CORS domain. return response directly | |
| if ($cors = "1o") { | |
| more_set_headers 'Access-Control-Allow-Origin: $http_origin'; | |
| more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE'; | |
| more_set_headers 'Access-Control-Allow-Credentials: true'; | |
| more_set_headers 'Access-Control-Allow-Headers: Origin,Content-Type,Accept'; | |
| add_header Content-Length 0; | |
| add_header Content-Type text/plain; | |
| return 204; | |
| } | |
| # Requests from non-allowed CORS domains | |
| proxy_pass http://serverIP:serverPort; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment