tid=101068&以下是gist.github.com支援reverse proxied APIs的範例:
5 f- }2 r% U# ^2 E9 G$ x. r) c ~/ _! e; h7 v
; G5 C }/ ~1 t, w7 O' H8 i
# CORS header support8 n1 m# g3 l7 U/ c4 a2 d- y4 Q
#. H# Q+ J. ~, g, B1 F: b& i) P7 Y
# One way to use this is by placing it into a file called "cors_support"1 f p# v' H D
# under your Nginx configuration directory and placing the following
, x7 g0 g( g( o0 t; K# statement inside your **location** block(s):( f3 t N0 z; D/ p
#
( g4 d: y3 H! \7 Y# include cors_support;) D" k1 I; s9 q3 E$ s9 s& e
#
9 U d6 ~5 `) e! Y# As of Nginx 1.7.5, add_header supports an "always" parameter which1 V) ^1 @, ?- J+ R
# allows CORS to work if the backend returns 4xx or 5xx status code.
3 |0 Z$ p. F9 n3 N, m7 S& r#/ d/ S- Z; V. C: P2 N2 W" ^
# For more information on CORS, please see: http://enable-cors.org/" A+ p2 Y6 h# _4 H5 W
# Forked from this Gist: https://gist.github.com/michiel/10646400 H8 V0 c+ O' P$ ]1 T! O6 ]9 E# H/ Q
#
. T# ~8 N; B! H9 z& E, r; f8 Z4 H* G
set $cors '';! A8 t4 P) C/ G% l: m) [
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
8 ~; k4 L8 A' M8 U- ]8 F' s/ D set $cors 'true';8 R: ~9 A& ~ S) Q, [$ c9 N( u
}
, ^3 l% h1 A* O9 E* f, _0 H; k1 f9 ?; H+ D
if ($cors = 'true') {
/ a: Z1 S- q8 E: n add_header 'Access-Control-Allow-Origin' "$http_origin" always;
. P: r. [& x& z; Z& H% B8 a9 Y. g add_header 'Access-Control-Allow-Credentials' 'true' always;( e% n V# z( F( E( j: b& D7 u
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
# B9 {/ i* K+ T2 t: E% V1 { add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
! r& a' Q- X2 E8 k: p' K # required to be able to read Authorization header in frontend: S& I) b; Y4 X( J5 _; N
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;* V; k$ ^, P a5 s/ i$ ^% j" P, n
}. C1 ?, l& Y1 a9 u. s0 y
4 f/ S6 v" ]% S0 A' Z$ [
if ($request_method = 'OPTIONS') {
# u1 E& Q6 X+ B" { # Tell client that this pre-flight info is valid for 20 days9 K" Z6 ?4 b/ V
add_header 'Access-Control-Max-Age' 1728000;
# o" k- [) p; _& W( ~) R6 l9 y7 X add_header 'Content-Type' 'text/plain charset=UTF-8';" `% P8 L5 P! y& N
add_header 'Content-Length' 0;
& @& [0 l9 x0 @1 n! {8 P return 204;$ ~: }3 A, Y k5 H* v! }. R s
} https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:/ x5 w7 ~1 f5 o4 b0 e/ t
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { return 444;" \6 S$ S g4 \) J! O& {
}
& t$ K% M$ U/ f9 Bset $origin $http_origin;
_: }$ g% t; p6 u* _if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
- w) ?2 F) d' R8 `$ A+ q set $origin 'https://default.yourdom.zone';) {9 m+ p' \7 v* Z7 z% ]3 X# _3 `
}
1 g8 Q f: g! w! E3 M( B ]if ($request_method = 'OPTIONS') {
m: S& s4 g3 h a& r& {! W add_header 'Access-Control-Allow-Origin' "$origin" always;( F) F1 A @' h" h
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;# R3 {$ O' S1 M
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
/ h1 e4 p N1 F- R& Z0 g add_header 'Access-Control-Allow-Credentials' 'true' always;
- \7 ]$ ^" t3 h1 \7 v add_header Access-Control-Max-Age 1728000; #20 days 6 b( A$ [- H+ @9 } N
add_header Content-Type 'text/plain charset=UTF-8';
0 W# B& V j j5 @/ P4 o add_header Content-Length 0;7 I; H( c! d- y! E/ m. ?
return 204;0 A4 R$ g3 g: E3 S4 n# F1 p- C
}# f# N. e8 R, `& n% c. g
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {/ M2 W$ D, e% f$ n" w+ `$ r
add_header Access-Control-Allow-Origin "$origin" always;
6 d+ Y- F& l# A, U& f* `7 G add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;! W0 w3 D9 m% Y
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
' n0 p$ f7 D* x# K$ o: `0 A; v add_header Access-Control-Allow-Credentials true always;/ M6 \! Y8 g6 Q0 [( K$ `
} Access-Control-Allow-Origin Multiple Origin Domains? 的例子:# based on https://gist.github.com/4165271/- }4 v. y3 q e6 l& F
#3 I6 j5 V+ ^2 x# R8 [' Q3 d* K: j
# Slightly tighter CORS config for nginx
! B2 L7 `' t7 s1 C#
/ J$ \( K% s" Q4 L7 F5 `# A modification of https://gist.github.com/1064640/ to include a white-list of URLs/ q! Q# I% A0 a$ A" r& R
#+ d( M( p/ R& X8 b/ H
# Despite the W3C guidance suggesting that a list of origins can be passed as part of! m9 ^% G; F0 c) U$ R5 c
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
' I5 ~% s9 v! N! \# don't seem to play nicely with this.' @% y$ m8 W2 a' A) X' N! u
#7 T- K5 j1 l$ |
# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting6 J& F$ B% ?$ P0 x. ~8 z& @! g
# method to control access instead.+ N1 ~! b# }9 x, H/ z/ ?# c: o
#
# H4 G4 G! b1 K% p2 Y" r# NB: This relies on the use of the 'Origin' HTTP Header.( O2 C- A( y: _5 M, q
( t- D4 L: l, G# [$ f: zlocation / {$ X2 ?: ^4 }# A
+ M: D3 S$ E7 U/ y, e! U: q$ e2 V if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {. E @" |9 O! G) b L8 @6 @
set $cors "true";
z/ S* w) A0 L1 v" o }! @( S2 _5 }* X% o5 G8 [4 K
6 f( H2 Y: B* k; a6 ?" l f$ m, U
# Nginx doesn't support nested If statements. This is where things get slightly nasty." @6 z" I5 T1 c& o0 {
# Determine the HTTP request method used
+ g. B* O/ ]$ P( L5 x0 ?; H if ($request_method = 'OPTIONS') {
, K+ ~7 p( T* e set $cors "${cors}options";& \* S6 ]# v1 z; e Y- t: T3 g
}
$ H! ?9 {+ t p: s0 D* ]/ C- q3 p$ o8 [ if ($request_method = 'GET') {
; a1 U P) s" D* P8 ? set $cors "${cors}get";: _9 j' U+ f1 ?1 V3 V
}
0 h% y1 Y8 d# Q+ B if ($request_method = 'POST') {9 S% |2 r' J' z
set $cors "${cors}post";) r! M1 }3 I8 ^! g r8 N6 i
}8 A9 O1 c) Y3 O6 I0 N
$ E. s9 S+ }9 D( Z1 W7 ~ z
if ($cors = "true") {
( r; P' g- \$ I& R. k) W # Catch all incase there's a request method we're not dealing with properly4 ^4 B' N# f. D3 w
add_header 'Access-Control-Allow-Origin' "$http_origin";
8 O9 Y' e4 I2 I% u }/ ?: }9 Z3 N# R! h% D
9 b4 _+ K* t2 a) u$ P0 _0 T if ($cors = "trueget") {
3 x' L+ Y3 _2 q* V! b) M, V/ R add_header 'Access-Control-Allow-Origin' "$http_origin";
, S5 h1 M- B8 P+ R add_header 'Access-Control-Allow-Credentials' 'true';. B* B; [/ u( K5 t
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
1 B7 B7 ]& a+ v add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
; M) h* N1 W3 ^" ` }8 p( {0 E/ \/ | t5 V' P( g) y
k! G: m1 v5 t if ($cors = "trueoptions") {
; M$ P* R i( Y. j' l ^1 \ add_header 'Access-Control-Allow-Origin' "$http_origin";
, K6 z; O( X+ a: X% z: T! I& N
( o; F2 D; w8 Y* N5 O* W7 _ #
+ A) X0 S& C& b2 a' ]' u # Om nom nom cookies
4 l+ E2 z! `7 r# E #7 r7 X: \, j8 B& w
add_header 'Access-Control-Allow-Credentials' 'true';
# B* y0 W$ ^5 E" D1 D/ Q add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';4 \# f" y+ _; F
( L9 r1 p& {3 v" M0 E6 O" F2 J8 Y #
! N0 S: H+ Y9 B+ x+ n b # Custom headers and headers various browsers *should* be OK with but aren't/ t! |3 h& H9 t m4 P; J6 q6 N* p
#
$ R$ r4 X& L, x add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';8 Q' M; L% U/ c# i. Y9 A
3 P- I# ^# ?3 J& O #
! \! E% M+ ]7 r8 g5 Y2 t # Tell client that this pre-flight info is valid for 20 days
) y! u5 `. ?( Z, b. D# k$ F% O) z #
7 x% K) `4 }% G5 G1 N) q add_header 'Access-Control-Max-Age' 1728000;) h+ D4 P! @" Y
add_header 'Content-Type' 'text/plain charset=UTF-8';; H! n4 n i8 N8 O: s" H
add_header 'Content-Length' 0;
3 w& ^2 C; r' C return 204;
# W$ C/ u& B# G3 o5 ^ }9 U, F. Q4 X3 H
; s6 X: s. n+ O- U( o" |. }
if ($cors = "truepost") {& o! O1 w; L% X- V/ ]& K. V
add_header 'Access-Control-Allow-Origin' "$http_origin";
9 Q7 }( I: r) J; |& o* Q( ^0 p( I add_header 'Access-Control-Allow-Credentials' 'true';; Z) X* C8 a8 j' B- c
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';, [% X( c) K2 `( u& m
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';0 z" ]1 q" B' C
}: {3 R0 Y5 `. q6 E* ^7 P- u
( K z v/ p' L2 }, Q
}
% g6 { s# ~2 {: l o- x
9 n0 W( L8 i2 t |