tid=101068&以下是gist.github.com支援reverse proxied APIs的範例:0 f+ u, X/ A3 Z" y& x, _2 c
& p/ a: [# f! K1 W) f7 p" c8 E8 @8 s( c+ u% _% u
# CORS header support& H1 Q. m4 d% j
#8 m8 ~( c# v0 W% u. y3 j* p. Q
# One way to use this is by placing it into a file called "cors_support": R& U. Q2 @% T" Z' e; l7 _8 u* q* |
# under your Nginx configuration directory and placing the following; W1 `% `- I9 C2 I& Z! r
# statement inside your **location** block(s):
* B0 w9 ~5 T1 ?6 s/ w#. {, s$ e# x- I5 W# P4 h$ t% n+ x
# include cors_support;
* `. E' T& M9 ^: H) P#
0 p6 B1 G2 e, g% q' r; y# ~# As of Nginx 1.7.5, add_header supports an "always" parameter which0 X% g# O' t! h* X5 N8 ]( s
# allows CORS to work if the backend returns 4xx or 5xx status code.$ @. H w1 \5 @* }; G# b% X
#
# U" \6 I. `# k& F D) M3 x# For more information on CORS, please see: http://enable-cors.org/: u! `5 h% {+ B( y
# Forked from this Gist: https://gist.github.com/michiel/1064640
! t( B H# Y2 u4 _! f#' u7 [( z/ v& f/ c; W- V1 S
, Z" K& c7 i* h" V8 \2 q
set $cors '';# B* i" q+ W* c: O. v6 d
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {+ M" T- S9 Z8 {
set $cors 'true';
6 Q# g. I- J9 y/ {3 `% ]$ p8 D}" s3 i0 h+ W" b( U4 g7 C+ C
/ Y a; K4 i' v" O2 W" P/ e: f
if ($cors = 'true') {
5 v8 D$ G. H' }/ N add_header 'Access-Control-Allow-Origin' "$http_origin" always;. \' P, Q4 d$ n: O
add_header 'Access-Control-Allow-Credentials' 'true' always;' e1 `+ [. z' T
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
3 v+ v/ t: Q8 T p4 v add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
( u1 Y6 N b& C5 I( f # required to be able to read Authorization header in frontend n. g; l: f9 E0 `
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;; a, Q: F5 t& A! q4 ~8 m
}
" u6 r# ~) c" ?* }$ b2 C) M
8 V* j! v3 |7 |/ ]if ($request_method = 'OPTIONS') {
- J9 X% T: B) ~* Y # Tell client that this pre-flight info is valid for 20 days
- c3 M* A- Y. ]' r2 M( ? add_header 'Access-Control-Max-Age' 1728000;
9 A2 _" [1 | b: C) N add_header 'Content-Type' 'text/plain charset=UTF-8';: R, t% T7 q y9 q4 d9 l
add_header 'Content-Length' 0;
$ G6 L7 e n! w+ i return 204;6 U, N6 I w, Q% y1 K7 |
} https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:5 C) L, l2 Z+ v- u3 |& L
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { return 444;% `6 _+ ]# ^: Q' {
}! I* h9 g, I T/ e' h9 d- h
set $origin $http_origin;
7 M4 p0 g- H0 e* Tif ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {$ j9 [% `5 h# o& N. ]. l3 t& a/ d
set $origin 'https://default.yourdom.zone';+ K) e) e1 w9 d. W3 Z8 S$ G
}5 b8 j: j* Z+ b7 b+ J! m; Z" V
if ($request_method = 'OPTIONS') {
2 ~: w' C) I. X) d: U" Y4 f add_header 'Access-Control-Allow-Origin' "$origin" always;& P$ V) Z$ Y+ ]: {3 c+ |
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
' ?1 w4 N2 w; \4 O, Z1 q" b; f add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
, O1 U0 r1 D5 ?; c) U( ? add_header 'Access-Control-Allow-Credentials' 'true' always;
7 s# N$ ^* C5 a7 D# k! a add_header Access-Control-Max-Age 1728000; #20 days
- L, r6 l# G. s L: \ add_header Content-Type 'text/plain charset=UTF-8';: C* t6 \& t% P1 h
add_header Content-Length 0;
' Y6 f* W0 h& v; |! f return 204;
) J |" A1 ]' Y$ T- i }} `! E' O+ n) B! `4 f
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
3 e% x, H$ ^2 ^ add_header Access-Control-Allow-Origin "$origin" always;) a! ]7 e! [' r9 R6 i. J* K# `* T
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
! v! Q k i0 t; u/ M add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
( U6 {3 b0 w; V3 F$ Q/ A3 K6 s add_header Access-Control-Allow-Credentials true always;
/ P2 h9 ]: X9 b- T4 N8 H- k} Access-Control-Allow-Origin Multiple Origin Domains? 的例子:# based on https://gist.github.com/4165271/$ Y' Y1 \, Q) G1 l2 J" f
#
: c0 ?! i( U' O" q) w2 _ k) B Y# Slightly tighter CORS config for nginx
, a/ b4 ?/ W" i+ h1 i#6 G3 S5 q& R+ r/ K+ k) h$ {
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs, @7 ^8 z/ Q) s) ^, Q9 E7 y
#
* K$ p" p. u& D# Despite the W3C guidance suggesting that a list of origins can be passed as part of! }, O) S; E7 u" c
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
& p) K9 y6 Q9 h% ?# don't seem to play nicely with this.
9 A1 E) X5 J& I( F3 z#
4 ~2 q; T5 y- H0 l$ _) g9 D# l# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting! T; P1 m) `) ?) U
# method to control access instead.# M8 V% r: L# i6 ]3 n/ j- X
#
2 I% u/ |4 |2 d2 j% w7 l1 l# NB: This relies on the use of the 'Origin' HTTP Header.
1 z2 l; }" {0 M' D1 `+ v# a5 o3 o. s
location / {
0 C; `3 _8 }1 W6 J- H8 k' o9 L
: ^) `+ v; b5 `' G if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
5 D t! P5 e9 b+ z- m* q' q set $cors "true";# L2 ]. K6 o4 i$ q
}
0 G* f; C; v7 E6 F5 q% ?" p' H N8 A* w$ y
# Nginx doesn't support nested If statements. This is where things get slightly nasty.
. |" R. m* L" Y' j9 w # Determine the HTTP request method used- o u3 @. T' U5 ~+ ~7 q" A7 [
if ($request_method = 'OPTIONS') {
# L# s3 Y5 g# \( d set $cors "${cors}options";
9 M% K/ z# o# @2 p# N% A }
. ^% u" I6 G5 P if ($request_method = 'GET') {
% I, Y4 U& [' { set $cors "${cors}get";
; h' t+ F4 D9 a( M, ] }$ D5 P! W2 j5 T7 e$ L8 r
if ($request_method = 'POST') {+ Y1 S B, e8 q, k, P& y8 N
set $cors "${cors}post";7 ~+ d. j) g8 F) o
}
3 |6 z6 H" ]& P& {5 F
; N: j$ @* X5 h8 Y5 d; ~& X& ^ if ($cors = "true") { W0 y3 n! c% ~* g& Y; i# e
# Catch all incase there's a request method we're not dealing with properly
# _7 E) D# X$ a6 ]8 Y# F+ ` add_header 'Access-Control-Allow-Origin' "$http_origin";6 p u0 `) S0 L# S7 n+ m3 l
}4 }4 q" |( z. Q& X% Z! t
1 T3 M" a3 H3 \7 G
if ($cors = "trueget") {! v+ E; k9 e3 P
add_header 'Access-Control-Allow-Origin' "$http_origin";; x6 E: r V2 A4 Y4 ^7 G5 l4 O
add_header 'Access-Control-Allow-Credentials' 'true';
! p9 v: R2 W, b/ ?& H add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';% k z3 f3 Q) I' C' K) a
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
2 V/ H" W* y) @( h! F* i }* U: z! H+ N2 ?8 e! z
: N: L; ]' Y# w4 U1 q
if ($cors = "trueoptions") {
c2 ?( X+ J' X" M8 r; P add_header 'Access-Control-Allow-Origin' "$http_origin";7 u; t- D6 Y+ E f e3 _+ C
! }0 g9 J/ L7 u _% X
#) d+ `, p- j, i, q+ w5 v
# Om nom nom cookies
8 l7 p+ S4 f+ J8 F #
4 Q$ v/ [0 m6 i9 y, w add_header 'Access-Control-Allow-Credentials' 'true';
# L& G* a; f2 G( b add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- u. U0 Y4 V2 K4 D$ d8 i, I$ i# ?, ?: h
#5 B: Q6 T* }3 F% A1 t+ c
# Custom headers and headers various browsers *should* be OK with but aren't/ j A0 z5 m- M7 F$ A4 p
#3 t; X7 Q$ m7 C; w0 [0 B. V" Y
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';; \ t) u/ m' P
1 D' P' L r6 G7 b1 L1 h9 c* w
#0 _ L# d' @( M1 l, S4 c
# Tell client that this pre-flight info is valid for 20 days
. c1 Z2 q2 C7 ~" Z! k" w U #
; h1 G! p- m: V) B. F$ h R add_header 'Access-Control-Max-Age' 1728000;
8 p$ ?! N/ c$ u6 a& t add_header 'Content-Type' 'text/plain charset=UTF-8';- T- x" T& i6 s; D; V7 b3 a% L1 N
add_header 'Content-Length' 0;
$ ^! H9 }' R7 e, ?9 R9 M! f( J) \6 C return 204;( J! I0 K6 p& Z1 o/ q4 h( y
}/ d" z: d5 h$ l1 R3 g( y/ i
: i4 [1 N$ _& P/ p1 i2 A2 q# m
if ($cors = "truepost") {# Q' | R; E# w' f$ R- R9 [2 @
add_header 'Access-Control-Allow-Origin' "$http_origin";
+ G# |% y5 r- U9 l( v add_header 'Access-Control-Allow-Credentials' 'true';
* L' l M, o0 D! |' ~3 i add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
5 d- ?* r* W+ l j add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';: x( [" P5 Q: |7 m& F0 P8 ^/ S4 z
}
* R/ Y. }" v" n2 Y! b# F
- s- \7 m( A. s. f4 q}
% V9 W r/ X7 ]' A/ O B7 r: z9 o* C9 h! o
|