My problem is the exact same one as described here: Disable authentication for HTTP OPTIONS method (preflight request). I'm trying to use CORS and HTTP passwords at the same time. When the browser see an bounced OPTIONS (status code 401), for some reason it'll immediate check for the CORS headers (which will be absent) and reject the request.
Here's my config:
location /api/ {
proxy_pass http://127.0.0.1:14000;
proxy_set_header Host $host;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Allow-Credentials true;
auth_basic "Restricted Area";
auth_basic_user_file /var/www/admin.htpasswd;
}
Best Answer
Here's the solution I came up with. It insolves duplicating all the CORS add_header directives though.