Nginx enabling CORS for multiple subdomains

My nginx version: nginx/1.4.6

I have an issue enabling CORS for multiple subdomains. I checked https://gist.github.com/algal/5480916 and http://rustyrazorblade.com/post/2013/2013-10-31-cors-with-wildcard-domains-and-nginx/ but both solutions doesn't work for me.

It looks like the regex

if ($http_origin ~* (.*\.mydomain.com)) {
    set $cors "true";
}

is not matching and $cors is not set to "true" and therefor add_header 'Access-Control-Allow-Origin' "$http_origin" won't be executed.

I also tried with regex

$http_origin ~* (https?://.*.mydomain.com)

$http_origin ~* https?://.*.mydomain.com

But in either case the regex doesn't match and $cors will never set to "true".

What am I missing?

My nginx configuration – domain name in curly braces (is getting replaced by Ansible):

upstream varnish {
  server localhost:80;
}

server {
    listen 443 default;
    server_name {{vhost}};

    ssl                  on;
    ssl_certificate      /etc/ssl/certs/ssl.{{domain}}.crt;
    ssl_certificate_key  /etc/ssl/private/{{domain}}.key;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    #ssl_prefer_server_ciphers   on;

    # workaround remote exploit. Fixed in 1.5.0, 1.4.1
    #
    # http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
    if ($http_transfer_encoding ~* chunked) {
        return 444;
    }

    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $http_host;

    proxy_redirect off;

    # CORS
    set $cors "";
    if ($http_origin ~* (.*\.{{domain}})) {
        set $cors "true";
    }

    location / {
            # Set the max size for file uploads (/admin, /webmail)
            client_max_body_size 10G;

            proxy_pass http://varnish;
            if ($cors = "true") {
                add_header 'Access-Control-Allow-Origin' "$http_origin";
                add_header 'Access-Control-Allow_Credentials' 'true';
                add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range, X-CSRF-Token';
                add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
            }

            if ($request_method = OPTIONS) {
                return 204;
            }

    }

    location = /50x.html {
        root   html;
    }

}

Best Answer

There are some unexpected things that occur when using if inside location blocks in NGINX. It's not recommended. Here is a solution that uses map. https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ and https://agentzh.blogspot.com/2011/03/how-nginx-location-if-works.html

This setup allows me to make requests to any subdomain and any port on my-domain.com and localhost (for development).

map $http_origin $allow_origin {
    ~^https?://(.*\.)?my-domain.com(:\d+)?$ $http_origin;
    ~^https?://(.*\.)?localhost(:\d+)?$ $http_origin;
    default "";
}

server {
    listen 80 default_server;
    server_name _;
    add_header 'Access-Control-Allow-Origin' $allow_origin;
    # ...
}

http://nginx.org/en/docs/http/ngx_http_map_module.html

Best Answer

Related Solutions

Nginx – How to add Access-Control-Allow-Origin in NGINX

Nginx has ssl module, but thinks it doesn’t

Related Topic