I am using a simple nginx instance to proxy REST calls to another server. The purpose of my proxy is to allow the use of cookies for authentication. I have it working, except for one problem. The server providing the REST service is sending the header Access-Control-Allow-Origin *. That header is too permissive for cookie based authentication. I need to replace that header with one that is more restrictive.
Here is a subset of my nginx config:
map $http_origin $cors_header {
default "";
"~^https?://[^/]+\.mydomain\.com(:[0-9]+)?$" $http_origin;
}
server {
location / {
proxy_pass https://myrestserver.com/api;
add_header Access-Control-Allow-Origin $cors_header;
add_header Access-Control-Allow-Credentials true;
}
}
My problem is that I end up with two Access-Control-Allow-Origin headers present in my response. How can I replace the header that comes back from the REST server so that only my version of the header is present in the final response?
Best Answer
The best thing to do would be to change the response on the REST server side, but, assuming you don't have control of the REST server, there is a module for Nginx that can modify headers called ngx_headers_more: https://github.com/openresty/headers-more-nginx-module
You'll have to install the module (this will likely involve building nginx from source and adding the module in ./configure, as described in the github readme). For your specific problem, once you install it you can add this directive in any block