tid=101068&以下是gist.github.com支援reverse proxied APIs的範例:3 r) S/ y- @8 j+ [& ^
6 ` B) Z- V/ {& B8 U% D
j6 e- ]9 V( y2 @# CORS header support
* {9 f( T3 x1 |" f9 U* E#0 P* ]/ t) C/ w, S/ ^
# One way to use this is by placing it into a file called "cors_support"2 l1 N' V+ r+ X0 _% r4 G
# under your Nginx configuration directory and placing the following
$ a% D; P6 b( t# statement inside your **location** block(s):+ q* O) @. Z+ ?- A C( F1 G
#; Z2 D" `5 H+ a+ }
# include cors_support;- z) b1 S! ~% z. f
## [4 O' Z+ l) Q) N
# As of Nginx 1.7.5, add_header supports an "always" parameter which( w3 a4 P, z; P
# allows CORS to work if the backend returns 4xx or 5xx status code.
8 R% u* r! k7 ]! N: y) ?' L#
6 [0 W% j4 m# O( O3 `5 M3 {9 r) R8 P& {1 i# For more information on CORS, please see: http://enable-cors.org/
. Y$ }9 n7 q* ^8 p# j6 ^) ~" A# Forked from this Gist: https://gist.github.com/michiel/10646401 Z6 O6 e2 i5 U% V; v
#
/ o: S# \- L7 V9 X: {9 [# N# p7 m
1 D" }% f9 O/ `2 M; t, K( ^set $cors '';
) o8 X$ c3 H$ r0 q8 ^, rif ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
: ]0 D( t6 W5 f' ]; I* y0 G* m9 {4 ~ set $cors 'true';% }3 `+ A# ^3 W, f5 ]
}5 W5 \. }: d7 H, y9 h, s
, Z6 z1 w z# c- B8 E0 C& @if ($cors = 'true') {
3 U4 W& ]5 Q/ U8 @" s' l add_header 'Access-Control-Allow-Origin' "$http_origin" always;) W7 _/ o: L& p, `( K1 e3 F6 p
add_header 'Access-Control-Allow-Credentials' 'true' always;) o! u; f% i: X, }2 s
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;, O# ~# _& n4 Y0 z4 x
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
) g6 Q1 I/ E* u! L. t! h # required to be able to read Authorization header in frontend
, \4 j+ @* k; H; V #add_header 'Access-Control-Expose-Headers' 'Authorization' always;1 [7 S7 K! d# w. ~; a6 E4 E
}
* w7 e/ v F& r" G% k' R" w- r: Y
5 J7 R7 f% n9 Y* x4 ]if ($request_method = 'OPTIONS') {- ]8 p9 L. t& H) I; Q: M
# Tell client that this pre-flight info is valid for 20 days4 x' d1 | y$ _: k
add_header 'Access-Control-Max-Age' 1728000;
; y$ Y- N! }1 M% l1 x add_header 'Content-Type' 'text/plain charset=UTF-8';
& W r3 U: m# V/ S add_header 'Content-Length' 0;
3 S E* M3 m/ z1 C8 n8 K- o2 E/ \ return 204;
: Q8 N# s8 ~: {} https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:
. W. p* \1 P9 c m$ pif ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { return 444;1 k1 C4 x' a- Z/ J: n: f
}: Q: x# B. t5 c) D# ^% H8 L
set $origin $http_origin;. B. O: W, O: B$ G- [0 ^
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {! }! S! I x. q( Y* c
set $origin 'https://default.yourdom.zone';
- E/ ^4 W# u. {( [5 v}
$ m7 _1 \: ]0 D& O3 c6 Wif ($request_method = 'OPTIONS') {, N1 i5 I; u, W, ]
add_header 'Access-Control-Allow-Origin' "$origin" always;* c8 T8 C6 ^6 w# v% t/ `
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
7 Y" y, S5 T7 M2 r& E add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
, h4 E# o8 |4 w4 l" n add_header 'Access-Control-Allow-Credentials' 'true' always;) l4 p: Z7 Y4 ?
add_header Access-Control-Max-Age 1728000; #20 days ! H( o/ F% Y! n& Y
add_header Content-Type 'text/plain charset=UTF-8';
7 Y' D7 I/ B0 f9 w' V/ v: E( T4 N add_header Content-Length 0;
8 ^7 S& `0 V7 t( U return 204;' C9 X9 o" N! E7 c9 @
}* ]$ R* z7 b1 B; M3 @
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
0 C: I% F% u- C8 k( I add_header Access-Control-Allow-Origin "$origin" always;& Z7 s( ~8 S4 j# F' g7 G( H
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;" j5 I% S/ {0 j/ O& U
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;$ W$ ~9 r! z" G+ s
add_header Access-Control-Allow-Credentials true always;
0 d! ~( t3 ?& M; X, Q' M% K} Access-Control-Allow-Origin Multiple Origin Domains? 的例子:# based on https://gist.github.com/4165271/
. E. \+ V: v4 d. N2 A#
0 d, d; p, P& H! i+ _5 y8 g3 P( L# Slightly tighter CORS config for nginx
$ @) R) L8 n( u: } L4 l: r' n, A#& m7 W+ ?$ \# V# N
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
5 a' n! t; N& e. }: Z" d#
* w; _8 \5 \8 f2 q, e$ \# Despite the W3C guidance suggesting that a list of origins can be passed as part of
5 u& j; _6 J5 K# E# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)( Z: _) S w- T' m) q
# don't seem to play nicely with this.4 @! K% [1 j& l
#! c/ Z7 v" f/ E! o8 q% }' e
# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
7 R" u- }7 r" }% _ X* X# method to control access instead.
, R* d5 ^ J: E% m, W& j) v2 X* ^#: k" w6 T( \, F) A( Y7 e+ L: f
# NB: This relies on the use of the 'Origin' HTTP Header.
3 m. @# c5 E- p' m$ ~ H
. Z0 A8 j* B( Z( |1 S7 v$ Mlocation / {" U, q0 [: k) v+ k$ v# w# S
7 V0 w- m, E! t; o/ Y2 H+ b if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
. m5 j. I: H' [( I: K set $cors "true";# ~- N) A8 h6 C% `' Q9 ]; x
}2 ~* ~' X1 t9 t# k% f
3 T n9 @" }& |
# Nginx doesn't support nested If statements. This is where things get slightly nasty.
- j- o: M' a) I5 k! C+ ^5 L # Determine the HTTP request method used3 J q; U5 o5 w7 O
if ($request_method = 'OPTIONS') {* @+ V3 g/ N0 V
set $cors "${cors}options";
6 }, ?" s' H" L1 m/ Z4 ]8 n }
6 r. |3 _) d1 |! l" Q) ? if ($request_method = 'GET') {
/ J3 ?4 w) p5 o! H0 _! S set $cors "${cors}get";8 B9 C. B" K7 N
}3 o5 g8 E7 p: l! T8 }& w% U
if ($request_method = 'POST') {' N* g, i/ v1 D2 ]8 ~
set $cors "${cors}post";( W" x0 e+ K1 |7 ?5 H9 @- p* ^
}- A! N" P3 w. B# H
# J- t+ g- U1 `; Q9 [ if ($cors = "true") {
, U- H7 b# f' m8 i7 m8 m& F # Catch all incase there's a request method we're not dealing with properly' ]2 ^8 A- E1 _& m
add_header 'Access-Control-Allow-Origin' "$http_origin";
, p/ Z# A- s3 h& E7 U }' T& [+ K/ H1 I! I
" `! \( p3 S+ h7 a$ Y# g
if ($cors = "trueget") {
7 l0 x8 [- Y& ^$ |1 G T add_header 'Access-Control-Allow-Origin' "$http_origin";
; n6 Q. V/ }! M- V) g add_header 'Access-Control-Allow-Credentials' 'true';0 ]8 w6 Z. B5 z# K
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';9 \4 E7 k7 S! u" @; |# A9 k9 l0 W% W
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';' y) |& \! k4 G
}
) t; d# S- G' F/ m4 S
' v; W2 n" P( x* L# C if ($cors = "trueoptions") {! W& e( g2 `+ P7 u: |; B6 I2 e0 I! G
add_header 'Access-Control-Allow-Origin' "$http_origin";
; S7 X( u% ~: w6 E( l3 S4 }. J5 o2 h& ~1 T$ b9 i, D0 A2 W
#
8 t* q8 g3 A* A3 o& K. p0 N- U # Om nom nom cookies
1 S5 ~3 J8 l& V6 d: S2 n ## V3 l, ^7 v0 R5 T
add_header 'Access-Control-Allow-Credentials' 'true';7 P* U. L7 F6 R. m# H3 P
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; N6 Q6 [' t0 D: C8 E9 k2 l
3 U( ]7 i" n* `! _ #) ]( Z; O( {* j u$ \# c) g. Z
# Custom headers and headers various browsers *should* be OK with but aren't; n. L2 [0 T6 ^/ ~
#
3 C$ e8 m0 D3 H7 R) U add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
4 t. o/ ?. H% q' q4 Q l: w& z/ u. H
#
5 G& C& h3 H) s3 \) q" c2 X # Tell client that this pre-flight info is valid for 20 days6 w1 e" G- g0 b5 `) V
#
2 D$ d# Q, d7 ~ add_header 'Access-Control-Max-Age' 1728000;' F, Y; @+ q1 z! @# ^
add_header 'Content-Type' 'text/plain charset=UTF-8';0 Z7 R/ g ?& L9 U0 |/ b2 O
add_header 'Content-Length' 0;% M, N8 h# z% p
return 204;" R' `1 A; H$ c- S
}
& `5 d+ x, [6 F& O9 [2 R1 z' e. f. ]; \# }- r8 r6 G
if ($cors = "truepost") {# [6 F0 m! G, {3 t1 V O
add_header 'Access-Control-Allow-Origin' "$http_origin";
! K6 Q* Z8 R( h6 p- G add_header 'Access-Control-Allow-Credentials' 'true';" K& A3 t9 G4 Y
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';' }: v! d/ f& v) H; r9 \! d1 E! @$ M
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
& Y) J/ m9 ?2 ?- A) [: G. r }
' t0 I- o3 n( U
% g/ Z+ v8 f# i}
) ~2 G- N' @, g: h9 d5 A# e$ @0 X' X5 [ k8 X( q
|