Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

IT_man

tid=101068&以下是gist.github.com支援reverse proxied APIs的範例:
  j' V% E  l( Q/ }
' G! P+ k# t  b* K6 C7 e, E9 ]- @2 N2 V
# f4 Y9 O" B3 D( m& d  H/ _

# CORS header support
7 [$ f' _. L2 Q#
1 A, b7 R9 x: v; ^9 h# One way to use this is by placing it into a file called "cors_support"
4 C! f$ s3 }! I# under your Nginx configuration directory and placing the following
, w# e( i. L1 W. ^# U" i6 u4 g# statement inside your **location** block(s):
#
6 c% Q5 @' Y. X0 V% w#   include cors_support;
#
# As of Nginx 1.7.5, add_header supports an "always" parameter which
# allows CORS to work if the backend returns 4xx or 5xx status code.
" P  e0 w: l6 t. I* ~* O: D$ l#
( u* V7 d) g7 l3 }. q: o1 ?1 M& G# For more information on CORS, please see: http://enable-cors.org/
# Forked from this Gist: https://gist.github.com/michiel/1064640
#
  R: R* Y& a2 E3 X$ D
3 ?* ?4 B$ L9 ?2 a- G5 P" p9 [set $cors '';
! o$ y$ K1 r3 ?3 k8 Fif ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
        set $cors 'true';
}
/ D% z: B# D2 M$ |% U/ {
, Z- @; E' Q) a* G  N: S% tif ($cors = 'true') {
) g, r& \+ L8 K( X% X        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
" J  G; B* k8 ?) f" I        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
7 }: a# w+ S; H2 N8 k) J/ |& k6 d        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
4 W+ d# @6 X4 b        # required to be able to read Authorization header in frontend
6 U6 }4 ]: o" H- ~$ _        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
}
% [+ Q( f  Y- K8 e+ D  O4 O4 d7 m0 ?
6 [2 g, l* Q1 x4 W: v2 [3 Z% Oif ($request_method = 'OPTIONS') {
3 \: u# S5 T: Y  g8 j5 M) I, W        # Tell client that this pre-flight info is valid for 20 days
! J& y* r7 e) N1 E        add_header 'Access-Control-Max-Age' 1728000;
! |5 a: K5 b" J9 P, R2 ?# s        add_header 'Content-Type' 'text/plain charset=UTF-8';
+ A, V9 u" Z5 ~. R$ O1 z3 p; {        add_header 'Content-Length' 0;
        return 204;
}

https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:

if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {     return 444;
# c) u' i0 H$ h! J  f}
; j0 k( |! U5 Z3 yset $origin $http_origin;
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
     set $origin 'https://default.yourdom.zone';
4 ]# P5 W( [' G! j; l$ P- x}
: ~8 G  @% W! `9 A# }+ C! T( Pif ($request_method = 'OPTIONS') {
     add_header 'Access-Control-Allow-Origin' "$origin" always;
     add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
  j9 b1 ^% A6 |" M( {     add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
/ u! O" j" g  S9 g* c     add_header Access-Control-Max-Age 1728000;   #20 days   
6 H7 _# F1 p9 k7 v& |$ S     add_header Content-Type 'text/plain charset=UTF-8';
- o; u- h+ @: }' q7 Z. a# T     add_header Content-Length 0;
     return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
     add_header Access-Control-Allow-Origin "$origin" always;
     add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
: {. B' Z! V# X/ @( v& T1 B) |     add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
- S7 d3 ?7 q* V% q5 W4 v     add_header Access-Control-Allow-Credentials true always;
' p7 R) H  m+ O, r, d% x}

Access-Control-Allow-Origin Multiple Origin Domains? 的例子:

# based on https://gist.github.com/4165271/
, m6 f2 V3 [( y* c#
# Slightly tighter CORS config for nginx
6 W/ l) z9 K+ U8 ~7 I* n$ o: |#
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
2 g4 n% j4 O+ v" O' r& Q#
9 A: X8 V4 g2 J, U/ W1 T0 E# Despite the W3C guidance suggesting that a list of origins can be passed as part of
! b4 Y# f7 T/ R) V" N7 Y  v, I# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
/ Z2 U* U3 R% w9 y$ {# don't seem to play nicely with this.
" s  e9 q; C4 s, b: g#
" k, E7 H3 d, J" V! m# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
, O( i2 b% N' L" f# method to control access instead.
#
0 M2 j9 m- l/ j+ J# NB: This relies on the use of the 'Origin' HTTP Header.
8 J0 c; f* T. I6 l
& k! q7 L( y3 M7 s+ P$ x' xlocation / {
- J; A0 n2 t( S4 h  x+ E
3 d& n0 v  \' I2 o9 H3 _* e7 c/ q    if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
        set $cors "true";
    }

4 j1 C; @/ ^5 _5 s' [. A7 G    # Nginx doesn't support nested If statements. This is where things get slightly nasty.
, w* G2 i! f7 {6 e8 W& }1 Q    # Determine the HTTP request method used
    if ($request_method = 'OPTIONS') {
! |  Z, ]9 Z  T9 Z        set $cors "${cors}options";
    }
    if ($request_method = 'GET') {
        set $cors "${cors}get";
% t/ {6 x& U* {# w    }
6 }1 l; |: f+ `: q1 q5 B    if ($request_method = 'POST') {
& B3 w3 l2 O2 K1 p9 L& H        set $cors "${cors}post";
9 z& M5 d) t0 q3 M    }
1 N' D# |7 u6 P. k( G! G5 o" @) s
  R0 U- G3 H3 j! a    if ($cors = "true") {
        # Catch all incase there's a request method we're not dealing with properly
        add_header 'Access-Control-Allow-Origin' "$http_origin";
+ E  `% q9 W; {" b! J3 w    }

7 l. o, T; {6 C6 z1 }. t& j) x1 u  f    if ($cors = "trueget") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
% K! j; Z3 C0 H! d- P6 J2 S/ I        add_header 'Access-Control-Allow-Credentials' 'true';
! v8 G3 y, D( d; u( B+ S8 a' o1 h        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }

    if ($cors = "trueoptions") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";

+ ?# m% X% M" f        #
: ]2 G) E9 f9 |3 ]        # Om nom nom cookies
        #
7 a" G" c. E4 u1 W# W: i4 I        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

) d+ W- b! d$ M" y1 m5 R        #
# W/ c0 K% ?. H( z! Y* Z( f- M        # Custom headers and headers various browsers *should* be OK with but aren't
% `9 _+ v: B  a, n; F- K6 J8 P4 H        #
- a: ~' Q/ \+ |& u        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
' K3 O/ D% u1 u* k6 V* R
: g* w9 G$ N- R2 y9 A$ n/ ]        #
# o9 B& ^: z) \+ q; ?( Q7 K        # Tell client that this pre-flight info is valid for 20 days
        #
, `+ Z3 b* b; t3 \0 b4 w2 [        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
& C2 K1 U) Q  L, o7 S        return 204;
& N( y/ g7 i5 _9 j$ R    }

  S* z( W! E; r- M. U    if ($cors = "truepost") {
+ c  j( s5 F! ?& J. {& s        add_header 'Access-Control-Allow-Origin' "$http_origin";
- g5 L- d* f# Q/ ~, a5 p5 c" ]+ p) c        add_header 'Access-Control-Allow-Credentials' 'true';
2 E! G: u$ X* S6 M# U        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
/ H, R* {5 h( D: o7 K        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
3 K" o7 A) Y% \) o$ Y4 [6 ~! ]    }
2 _6 C! S7 t0 u3 x/ E8 O
0 J1 v5 M0 c2 C7 m' s; f1 D7 H5 @) R/ F}

3 q- v0 D6 r5 u6 u) s( C