以下是gist.github.com支援reverse proxied APIs的範例:' ?4 A( R5 I0 b& g' y- W
2 r+ O5 H9 z0 c; L2 \ a0 W
; i& s% P$ F& I3 z7 x# CORS header support, S/ Y& o$ U* ^5 n& P
#; f$ a" W$ e2 O$ v
# One way to use this is by placing it into a file called "cors_support"
2 k0 K# l+ y, ^% ^# under your Nginx configuration directory and placing the following
0 T' ^5 N5 y% ~$ p: I/ S% ^( c# statement inside your **location** block(s):8 L! ^" f8 f4 ^) a, u
#
9 |) ~% f& G, Q. x$ K# include cors_support;
* F( J) a5 E' X% O, Z. N. c1 E#. S. t i1 q' s' W( H
# As of Nginx 1.7.5, add_header supports an "always" parameter which+ }) h% a# V) G
# allows CORS to work if the backend returns 4xx or 5xx status code.$ @8 v9 p! {4 H/ n. ^& n
#2 g1 T* Y8 l( w
# For more information on CORS, please see: http://enable-cors.org/, _( R) y4 Z; C5 d; ~, m' T" d7 R
# Forked from this Gist: https://gist.github.com/michiel/1064640$ P+ \, v) S, i0 l5 d
#2 h) y8 \& _2 g; q m
9 O) z* v& q+ L
set $cors '';4 M% J, o5 M" \* Q3 y
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') { M! p6 ^% _4 {4 a
set $cors 'true';
$ ~& P" Y3 M4 p6 C8 K}
4 t% K7 U/ n! F4 l+ [
( \# @# m1 ^; P$ ]8 Mif ($cors = 'true') {% \- x u2 {; [, O, z. I3 X
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
) i( W7 k% h' i! A- P7 O0 n0 x add_header 'Access-Control-Allow-Credentials' 'true' always;
9 ^% [8 Z( A7 h: O" N8 a add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;! r2 {# B" v: T4 Z
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
2 q, V8 I3 ]) B; H- a # required to be able to read Authorization header in frontend) H# e+ t* D5 g) q
#add_header 'Access-Control-Expose-Headers' 'Authorization' always;' n9 G( o1 o7 a4 K
} x( a" m3 ?- l5 k; y0 u
/ R5 m) a$ x- W* H5 Pif ($request_method = 'OPTIONS') {( B# R9 o# f# y1 ^0 L3 `! }
# Tell client that this pre-flight info is valid for 20 days
L& z6 x* z% k add_header 'Access-Control-Max-Age' 1728000;
0 M# {& D/ b! f5 I0 C5 c% k3 F add_header 'Content-Type' 'text/plain charset=UTF-8';
# o: }' h, H/ P. k L. I$ s add_header 'Content-Length' 0;
: g) Z" M- T+ I return 204;& }" r+ d. o5 c, u/ i
} https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:
' c( q8 n2 u8 l- @9 gif ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { return 444;
- W3 L6 t# Z n}
9 ?( Y5 D( I% H9 Wset $origin $http_origin;6 j2 ]. R; F9 @! L) F7 w% b$ v6 N
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {$ l8 h# v) c4 w
set $origin 'https://default.yourdom.zone';/ J7 z! e/ H( _% c( I: A
}9 \1 {9 l3 W. \6 F7 m$ g7 U5 u: L
if ($request_method = 'OPTIONS') {2 I/ p: Z2 P% P' U
add_header 'Access-Control-Allow-Origin' "$origin" always;! `9 R) T9 \( p: m
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;9 M$ a1 q j" U% R e
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
' j8 w0 N3 ]) F# S. \: k add_header 'Access-Control-Allow-Credentials' 'true' always;
) y- A6 c8 r: \! \" d add_header Access-Control-Max-Age 1728000; #20 days 8 ]3 T8 s# [, H* M# ?( a
add_header Content-Type 'text/plain charset=UTF-8';. m/ y+ J9 Z3 d
add_header Content-Length 0;
}9 b! u$ _, A+ S5 ` return 204;
" r# t0 ]# R: j}; g$ c6 w& o+ A9 n* p
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {0 g$ k; }0 y- N$ `- \
add_header Access-Control-Allow-Origin "$origin" always;
. F* e4 J% g% h- ] M0 c, K add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
$ g( P+ V9 y+ p1 I" H! \+ o add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;2 p& y# U' U4 Q
add_header Access-Control-Allow-Credentials true always;
$ B3 O3 ?( W1 n0 |# ^} Access-Control-Allow-Origin Multiple Origin Domains? 的例子:# based on https://gist.github.com/4165271/
% Q0 Y' M3 n: R# g#1 h6 i4 }! w( t2 g! m) Q) n! _
# Slightly tighter CORS config for nginx
8 N* w5 \, F/ P: }8 r) A9 N( ^#) y9 O( z0 `. w
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs# j# g. k* N& c; h% S1 h/ ]: I2 c/ [( p
#5 y; J# T" F8 W3 S8 K! _
# Despite the W3C guidance suggesting that a list of origins can be passed as part of
0 M0 t7 y( h: z7 |; n# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
2 {; p- n" W( w* {2 i# don't seem to play nicely with this.
9 a5 F v" f: l2 p/ v#
% c. w. _0 V0 |: }& A# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting/ b4 M6 @/ w" O! n5 l7 Z8 z
# method to control access instead.
4 A6 _3 F" x# H! Y) [8 n5 d#
' G: t, B. N. t* T7 V: ]# NB: This relies on the use of the 'Origin' HTTP Header.7 u2 P2 v" N5 @8 S1 E; G
/ x5 m7 S x t, s; z% S
location / {, k5 o. w0 T0 i' t
# P( N) f0 x5 j& @& s1 d
if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
$ N! K2 F2 y+ ?! [6 T; O set $cors "true";
' r$ v T# L( d$ |$ w }% v) T; T# }4 l3 T; |% a; z" @# z
: m* o6 N' o1 z # Nginx doesn't support nested If statements. This is where things get slightly nasty.6 l$ l4 G* m2 v U' J! p5 O6 _
# Determine the HTTP request method used. A$ q' `4 l! w; G/ z& A* S" N+ x
if ($request_method = 'OPTIONS') {* z: V; u W* f% X& y
set $cors "${cors}options";$ T; J- R" S0 ^% N8 C1 E% P
}
, i; o- E$ K& m: Z9 C) R! d) y if ($request_method = 'GET') {
9 N# s" D& Y+ a; s9 X set $cors "${cors}get";9 G% y; T5 q( |1 m2 \
}' a3 r( P& x# r3 W
if ($request_method = 'POST') {) X, K! i; @& E, T$ n9 h8 J
set $cors "${cors}post";7 g2 F, o6 A! f2 T9 d- s
}
* f; [& K, N+ k9 j! d& T0 v) @
if ($cors = "true") {( _, x# ]: y* ]5 D% E+ F- q( \
# Catch all incase there's a request method we're not dealing with properly" e0 Q N; Z \8 W& h
add_header 'Access-Control-Allow-Origin' "$http_origin";
) _, r5 l( t0 l1 g1 m }: f& ^/ H/ k7 j n$ L
1 t2 n2 U0 [% T- v( Q' p2 I5 R n
if ($cors = "trueget") {
, G9 a- y- c; ? add_header 'Access-Control-Allow-Origin' "$http_origin";( d9 l* o$ Q( ~6 i) U1 b
add_header 'Access-Control-Allow-Credentials' 'true';' a' N& l' |5 _# m5 D& P
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';' f7 [& f& D$ T5 @
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
& H' Q1 j9 z' [2 {6 q% f3 C }
; o- h- c, b* k0 \* `" i
# m. t5 r- E% t/ u if ($cors = "trueoptions") {
1 r6 \& r5 y& T, w* G0 A add_header 'Access-Control-Allow-Origin' "$http_origin";2 g3 V# |0 W. f- U/ ]
& e* y+ Q+ H( _, w" b( L #3 f6 ^, G8 N' u
# Om nom nom cookies; X. [5 k2 Q' a5 Q
#% _. q/ [" i2 B
add_header 'Access-Control-Allow-Credentials' 'true';
- s/ z' S9 Y" S2 l R add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
$ \' v4 [; t' [" y# m* M. V3 o, }$ ^7 H1 v5 ^
#1 T0 Y- Q3 |3 H; @" X' U, L
# Custom headers and headers various browsers *should* be OK with but aren't
/ k, G$ e+ a" ^5 G3 T #5 j m* R# i8 T* t; F
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
6 j; k0 r* J" i, z* H ^& g1 D6 S: i& i* z
#
% H P. a j& S0 x9 @ # Tell client that this pre-flight info is valid for 20 days6 c+ }6 ]0 {3 w: p
#
+ t9 g9 T9 D. U8 L add_header 'Access-Control-Max-Age' 1728000;6 T- c5 [, O# P1 c+ e' L
add_header 'Content-Type' 'text/plain charset=UTF-8';
% v E. ~2 ` I0 e- ?3 z: H* A v add_header 'Content-Length' 0;5 z8 ^. a/ |2 B
return 204;- P. z6 {+ S9 q/ `( h& ?. F
}
% J* s, w! R0 S1 I
2 R% } k" e1 P# h+ H, M6 Q if ($cors = "truepost") {
8 z, \, t! y% }! S) z+ d add_header 'Access-Control-Allow-Origin' "$http_origin";- q% F$ ^ a& N& j
add_header 'Access-Control-Allow-Credentials' 'true';/ H. C8 ]; F6 P, C" E5 v! g
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
4 H* j/ B1 t4 L* H( y/ [ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';% _1 a4 q. d. j6 @7 g6 G1 u
}
7 F7 x' a! e, {+ T! A) e+ |8 S2 h
% C- F) Z" }8 m p# n: p" l}
6 y; o/ x- i! |( b% s9 T- J; N
; K+ c# r1 w7 ]4 [1 m |
|