Nginx configuration for CORS-enabled HTTPS proxy with origin white-list defined by a simple regex


# # Acts as a nginx HTTPS proxy server # enabling CORS only to domains matched by regex # /https?://.*\.mckinsey\.com(:[0-9]+)?)/ # # Based on: # * http://blog.themillhousegroup.com/2013/05/nginx-as-cors-enabled-https-proxy.html # * http://enable-cors.org/server_nginx.html # server { listen 443 default_server ssl; server_name localhost; # Fake certs - fine for development purposes 🙂 ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_session_timeout 5m; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Nginx doesn't support nested If statements, so we # concatenate compound conditions on the $cors variable # and process later # If request comes from allowed subdomain # (*.mckinsey.com) then we enable CORS if ($http_origin ~* (https?://.*\.mckinsey\.com(:[0-9]+)?$)) { set $cors "1"; } # OPTIONS indicates a CORS pre-flight request if ($request_method = 'OPTIONS') { set $cors "${cors}o"; } # Append CORS headers to any request from # allowed CORS domain, except OPTIONS if ($cors = "1") { more_set_headers 'Access-Control-Allow-Origin: $http_origin'; more_set_headers 'Access-Control-Allow-Credentials: true'; proxy_pass http://serverIP:serverPort; } # OPTIONS (pre-flight) request from allowed # CORS domain. return response directly if ($cors = "1o") { more_set_headers 'Access-Control-Allow-Origin: $http_origin'; more_set_headers 'Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE'; more_set_headers 'Access-Control-Allow-Credentials: true'; more_set_headers 'Access-Control-Allow-Headers: Origin,Content-Type,Accept'; add_header Content-Length 0; add_header Content-Type text/plain; return 204; } # Requests from non-allowed CORS domains proxy_pass http://serverIP:serverPort; } }

发表评论