nginx 为多个子域名启用 CORS

tag-icon tag-icon nginx
nginx 为多个子域名启用 CORS

我的 nginx 版本:nginx/1.4.6

我在为多个子域启用 CORS 时遇到问题。我检查了https://gist.github.com/algal/5480916http://rustyrazorblade.com/post/2013/2013-10-31-cors-with-wildcard-domains-and-nginx/但这两种解决方案对我来说都不起作用。

它看起来像正则表达式

if ($http_origin ~* (.*\.mydomain.com)) {
    set $cors "true";
}

不匹配且 $cors 未设置为“true”,因此 add_header 'Access-Control-Allow-Origin' "$http_origin" 将不会被执行。

我也尝试过使用正则表达式

$http_origin ~* (https?://.*.mydomain.com)

或者

$http_origin ~* https?://.*.mydomain.com

但无论哪种情况,正则表达式都不匹配,并且 $cors 永远不会设置为“true”。

我错过了什么?

我的 nginx 配置 - 花括号中的域名(正在被 Ansible 替换):

upstream varnish {
  server localhost:80;
}

server {
    listen 443 default;
    server_name {{vhost}};

    ssl                  on;
    ssl_certificate      /etc/ssl/certs/ssl.{{domain}}.crt;
    ssl_certificate_key  /etc/ssl/private/{{domain}}.key;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    #ssl_prefer_server_ciphers   on;

    # workaround remote exploit. Fixed in 1.5.0, 1.4.1
    #
    # http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
    if ($http_transfer_encoding ~* chunked) {
        return 444;
    }

    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $http_host;

    proxy_redirect off;

    # CORS
    set $cors "";
    if ($http_origin ~* (.*\.{{domain}})) {
        set $cors "true";
    }

    location / {
            # Set the max size for file uploads (/admin, /webmail)
            client_max_body_size 10G;

            proxy_pass http://varnish;
            if ($cors = "true") {
                add_header 'Access-Control-Allow-Origin' "$http_origin";
                add_header 'Access-Control-Allow_Credentials' 'true';
                add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range, X-CSRF-Token';
                add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
            }

            if ($request_method = OPTIONS) {
                return 204;
            }

    }

    location = /50x.html {
        root   html;
    }

}

答案1

在 NGINX 中使用位置块时会发生一些意外情况if。不建议这样做。以下是使用的解决方案maphttps://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/https://agentzh.blogspot.com/2011/03/how-nginx-location-if-works.html

此设置允许我向 my-domain.com 和 localhost(用于开发)上的任何子域和任何端口发出请求。

map $http_origin $allow_origin {
    ~^https?://(.*\.)?my-domain.com(:\d+)?$ $http_origin;
    ~^https?://(.*\.)?localhost(:\d+)?$ $http_origin;
    default "";
}

server {
    listen 80 default_server;
    server_name _;
    add_header 'Access-Control-Allow-Origin' $allow_origin;
    add_header Vary Origin; 
    # ...
}

http://nginx.org/en/docs/http/ngx_http_map_module.html

笔记:

服务器还应该在 Vary 响应标头中包含 Origin,以向客户端指示服务器响应将根据 Origin 请求标头的值而有所不同。

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#access-control-allow-origin

答案2

您可以使用这个巧妙的解决方法来解决只有一个子域的限制,该解决方法允许所有子域:

server {

    root /path/to/your/stuff;

    index index.html index.htm;

     set $cors "";

    if ($http_origin ~* (.*\.yoursweetdomain.com)) {
        set $cors "true";
    }

    server_name yoursweetdomain.com;

    location / {

        if ($cors = "true") {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
            add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
        }


        if ($request_method = OPTIONS) {
            return 204;
        }

    }
}

信用:http://rustyrazorblade.com/post/2013/2013-10-31-cors-with-wildcard-domains-and-nginx/

答案3

已经过去一年了,但这是对我有用的解决方案。

location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  
    # Nginx doesn't support nested If statements, so we
    # concatenate compound conditions on the $cors variable
    # and process later

    # If request comes from allowed subdomain
    # (*.mckinsey.com) then we enable CORS
    if ($http_origin ~* (https?://.*\.mckinsey\.com(:[0-9]+)?$)) {
       set $cors "1";
    }
  
    # OPTIONS indicates a CORS pre-flight request
    if ($request_method = 'OPTIONS') {
       set $cors "${cors}o";
    }
  
    # Append CORS headers to any request from 
    # allowed CORS domain, except OPTIONS
    if ($cors = "1") {
       more_set_headers 'Access-Control-Allow-Origin: $http_origin';
       more_set_headers 'Access-Control-Allow-Credentials: true';
       proxy_pass      http://serverIP:serverPort;
    }
  
    # OPTIONS (pre-flight) request from allowed 
    # CORS domain. return response directly
    if ($cors = "1o") {
       more_set_headers 'Access-Control-Allow-Origin: $http_origin';
       more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE';
       more_set_headers 'Access-Control-Allow-Credentials: true';
       more_set_headers 'Access-Control-Allow-Headers: Origin,Content-Type,Accept';
       add_header Content-Length 0;
       add_header Content-Type text/plain;
       return 204;
    }
  
    # Requests from non-allowed CORS domains
       proxy_pass      http://serverIP:serverPort;
  }

来源:https://gist.github.com/bramswenson/51f0721dec22b9b258aea48b59e9a32c

答案4

$http_origin包含请求标头中“origin”字段的值。

您可能觉得它不起作用的原因是您使用请求对其进行了测试,其中“origin”标头字段为空的。 例子:浏览器不会在 GET 请求中设置来源字段,仅限于 POST 甚至更多......

如需了解确切信息,请参阅https://stackoverflow.com/questions/42239643/when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null

所以,上面的代码运行正常因为您的 GET 请求不需要响应标头中的 CORS 字段。GET 无需这些字段即可工作!

相关内容