I am using apache2 as a reverse proxy for my parse-server. In order to allow Cross Origin Requests I originally tried setting:
Header always set Access-Control-Allow-Origin "*"
in the apache config file together with:
ProxyPass /parse/ http://localhost:1337/parse/
ProxyPassReverse /parse/ http://localhost:1337/parse/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
After setting this, the requests were successfully forwarded from apache to my parse-server. However now my Webapp throws CORS Multiple Origin Not Allowed
.
In the developer console of my browser I can see that this Access-Control-Allow-Origin option is set twice.
I have confirmed that the second instance of this appears due to parse-server. However I can not find a way to either prevent parse-server or apache from setting this option in the response.
I tried changing my initial line in the apache config to:
1.
Header always setifempty Access-Control-Allow-Origin "*"
Header always add Access-Control-Allow-Origin "*"
Header always add Access-Control-Allow-Origin "*"
Header always edit Access-Control-Allow-Origin "^$" "*"
None of these tries changed anything. However removing the Access-Control-Allow-Origin
option in the apache config prevents the initial request from getting through to parse-server, so this is not an option.
I am using apache2 version 2.4.29
and parse-server 4.10.3
.
Does anyone know a way to get this to work?
Best Answer
First of all, I think it's important to understand a little background on how CORS works:
Access-Control
headers in the response.So why am I saying this: I suspect the reason you need to set the
Access-Control-Allow-Origin
header in the Apache for the request to be "getting through" is that your Apache configuration is not proxyingOPTION
requests. This leads to the browser getting an unexpected response in the pre-flight requests and throwing a CORS error before even attempting to make the actual request.Since CORS is validated in the browser the Apache reverse-proxy shouldn't play any role in it. When your backend server (parse-server) is correctly configured to handle CORS requests and sends out the correct
Access-Control-*
headers everything should be working no matter how many proxies you put in between. That is as long as the proxy forwards all requests.Alternatively, you may want to "slap on" the CORS configuration in the reverse proxy but that seems unnecessary here. Since you are seeing two
Access-Control-Allow-Origin
headers in the response, I suspect that the parse-server is in fact already trying to handle the CORS request.I recommend you first check your Apache configuration and make sure
OPTION
requests are forwarded to the parse-server. If that shouldn't be it, I'd look at the requests the browser makes in the network tab of the dev tools:Access-Control-*
response headers on the pre-flight request?You can also debug these things by calling the services with
curl
by setting the origin header.That way you can simulate requests to your backend service and see what headers it sends.