我愛av論壇 › 伺服端(Server) › Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

IT_man 發表於 2019-2-20 09:34:17

Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

以下是gist.github.com支援reverse proxied APIs的範例:


# CORS header support
#
# One way to use this is by placing it into a file called "cors_support"
# under your Nginx configuration directory and placing the following
# statement inside your **location** block(s):
#
#   include cors_support;
#
# As of Nginx 1.7.5, add_header supports an "always" parameter which
# allows CORS to work if the backend returns 4xx or 5xx status code.
#
# For more information on CORS, please see: http://enable-cors.org/
# Forked from this Gist: https://gist.github.com/michiel/1064640
#

set $cors '';
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
      set $cors 'true';
}

if ($cors = 'true') {
      add_header 'Access-Control-Allow-Origin' "$http_origin" always;
      add_header 'Access-Control-Allow-Credentials' 'true' always;
      add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
      add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
      # required to be able to read Authorization header in frontend
      #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
}

if ($request_method = 'OPTIONS') {
      # Tell client that this pre-flight info is valid for 20 days
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
}
https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {   return 444;
}
set $origin $http_origin;
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
   set $origin 'https://default.yourdom.zone';
}
if ($request_method = 'OPTIONS') {
   add_header 'Access-Control-Allow-Origin' "$origin" always;
   add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
   add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
   add_header 'Access-Control-Allow-Credentials' 'true' always;
   add_header Access-Control-Max-Age 1728000;   #20 days   
   add_header Content-Type 'text/plain charset=UTF-8';
   add_header Content-Length 0;
   return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
   add_header Access-Control-Allow-Origin "$origin" always;
   add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
   add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
   add_header Access-Control-Allow-Credentials true always;
}Access-Control-Allow-Origin Multiple Origin Domains? 的例子:# based on https://gist.github.com/4165271/
#
# Slightly tighter CORS config for nginx
#
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
#
# Despite the W3C guidance suggesting that a list of origins can be passed as part of
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
# don't seem to play nicely with this.
#
# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
# method to control access instead.
#
# NB: This relies on the use of the 'Origin' HTTP Header.

location / {

    if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
      set $cors "true";
    }

    # Nginx doesn't support nested If statements. This is where things get slightly nasty.
    # Determine the HTTP request method used
    if ($request_method = 'OPTIONS') {
      set $cors "${cors}options";
    }
    if ($request_method = 'GET') {
      set $cors "${cors}get";
    }
    if ($request_method = 'POST') {
      set $cors "${cors}post";
    }

    if ($cors = "true") {
      # Catch all incase there's a request method we're not dealing with properly
      add_header 'Access-Control-Allow-Origin' "$http_origin";
    }

    if ($cors = "trueget") {
      add_header 'Access-Control-Allow-Origin' "$http_origin";
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }

    if ($cors = "trueoptions") {
      add_header 'Access-Control-Allow-Origin' "$http_origin";

      #
      # Om nom nom cookies
      #
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

      #
      # Custom headers and headers various browsers *should* be OK with but aren't
      #
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

      #
      # Tell client that this pre-flight info is valid for 20 days
      #
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain charset=UTF-8';
      add_header 'Content-Length' 0;
      return 204;
    }

    if ($cors = "truepost") {
      add_header 'Access-Control-Allow-Origin' "$http_origin";
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }

}

查看完整版本: Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源