This has been frustrating me to no end. I've been getting that classic line:
No 'Access-Control-Allow-Origin' header is present on the requested resource.
I'm running the latest stable Nginx on Ubuntu 16.04, with a Swoole server configured to handle the Laravel PHP requests in PHP 7.2. As far as I know it's all working.
The Laravel api is on one subdomain, and the frontend is an angular on another subdomain. Up till now everything's worked, so I've been trying to configure CORS on the backend site.
Despite having it configured, it's not recognising that exists. Yes I restart nginx every time I update the config. Caching at the moment is off for dev purposes. Nginx config shortened below:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
root /var/www/sub.example.com/;
index index.php;
server_name sub.example.com www.sub.example.com;
[redirect 301 part]
[php location]
}
## https://example.com redirects to https://www.example.com
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.sub.example.com;
[SSL certs]
[redirect 301 to sub.example.com]
}
## Serves https://sub.example.com
server {
server_name lhb.luminuxlab.com;
listen 443 ssl http2 ;
listen [::]:443 ssl http2;
[SSL certs]
root /var/www/sub.example.com;
index index.php;
location / {
try_files $uri $uri/ /index.php?@swoole;
}
[php stuff]
location @swoole {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow_Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Ra$
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
proxy_set_header Host $http_host;
proxy_set_header Scheme $scheme;
proxy_set_header SERVER_PORT $server_port;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# IF https
proxy_set_header HTTPS "on";
proxy_pass http://127.0.0.1:1215$query_string;
}
}
I've tried shifting the headers to a bunch of different places but I've had no luck getting a change in response, ping the server with curl
curl -H "Access-Control-Request-Method: GET" -H "Origin: http://front.example.com" --head http://back.example.com/
Gives no useful information and the CORS headers don't seem to be included. I've tried different variations and configurations of the CORS header commands and no response.
Anybody got an idea of what might be going wrong?
Ok problem solved. After more experimentation I found that the correct location for the access control headers was in the final https redirect before the proxy redirect to swoole. Like so:
## Serves https://sub.example.com
server {
server_name sub.example.com;
listen 443 ssl http2 ;
listen [::]:443 ssl http2;
[ssl stuff]
add_header 'Access-Control-Allow-Origin' 'https://front.example.com';
add_header 'Access-Control-Allow_Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS';
root /var/www/sub.example.com/;
....
location @swoole {
....
proxy_pass http://127.0.0.1:1215$query_string;
}
}
Hope this helps people in the future.