Quantcast

Unable to resolve the "Access-Control-Allow-Origin" issue

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).


Have tried everything I could find on the google, but nothing works (whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
For the record, here is the server-block ::


#########################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Access-Control-Allow-Origin' $http_origin;
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                location / {

                        add_header 'Access-Control-Max-Age' 1728000;
                        add_header 'Access-Control-Allow-Origin' '*';
                        add_header 'Access-Control-Allow-Credentials' 'true';
                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header 'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[hidden email]> wrote:
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).


Have tried everything I could find on the google, but nothing works (whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Richard Stanway
Your are using auth_basic, so the 401 response code is not in the range that add_header works with ("Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307."). You need to use "always" if you want to include the header in all responses. See the documentation for more details.


On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[hidden email]> wrote:
For the record, here is the server-block ::


#########################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Access-Control-Allow-Origin' $http_origin;
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                location / {

                        add_header 'Access-Control-Max-Age' 1728000;
                        add_header 'Access-Control-Allow-Origin' '*';
                        add_header 'Access-Control-Allow-Credentials' 'true';
                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header 'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[hidden email]> wrote:
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).


Have tried everything I could find on the google, but nothing works (whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
Hi Richard.

Thanks for the help.

I added 'always' as the last argument in all the "add_header" and "proxy_set_header" directives.
Unfortunately, I receive the following on the very first "add_header" directive ::

#####################################################
2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in "add_header" directive in /etc/nginx/sites-enabled/default:22
#####################################################


I guess the 'always' argument requires nginx >= 1.7.5.


Is there a pre-built package available for nginx?
Our linux-machine is ::

#####################################################
uname -a
Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
#####################################################

If not, I guess the link to use is http://nginx.org/en/docs/configure.html, but I am very afraid that I might miss something, so a pre-built package >= 1.7.5 (provided one exists) for our linux-machine would be great :)


Thanks for the help so far !!!


Thanks and Regards,
Ajay

On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <[hidden email]> wrote:
Your are using auth_basic, so the 401 response code is not in the range that add_header works with ("Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307."). You need to use "always" if you want to include the header in all responses. See the documentation for more details.


On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[hidden email]> wrote:
For the record, here is the server-block ::


#########################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Access-Control-Allow-Origin' $http_origin;
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                location / {

                        add_header 'Access-Control-Max-Age' 1728000;
                        add_header 'Access-Control-Allow-Origin' '*';
                        add_header 'Access-Control-Allow-Credentials' 'true';
                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header 'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[hidden email]> wrote:
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).


Have tried everything I could find on the google, but nothing works (whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Francis Daly
In reply to this post by Ajay Garg
On Wed, Apr 12, 2017 at 06:13:19PM +0530, Ajay Garg wrote:

Hi there,

> We are facing the following issue :
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
> Allow-Origin' missing).

What's the issue, specifically?

It looks like your browser thinks it is talking to two web servers. Do
you think your browser is talking to two web servers? If not, that's
the problem to fix. Otherwise, you'll want to set suitable headers in
the response from the first web server.

If your browser should only be talking to https://1.2.3.4/, and everything
else should be reverse-proxied behind that, then the problem is that
some part of a back-end is leaking through, and the network allows the
browser to talk directly to something that it should not be talking to.

A later mail shows some nginx config, but it is not clear to me if that
is on the 1.2.3.4 server or on a different server; and it is not clear
to me why many of the add_header and proxy_set_header lines are there.

I suspect that if you can get a clear understanding of the issue, and of
what should be happening, then the path to configuring things to allow
to all to happen will become clearer.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
In reply to this post by Ajay Garg
Upgraded to 1.11

Now, things get worse, I am not being prompted for any credentials (even with all browser cache cleared), even with the following /etc/nginx/conf.d/default.conf


##########################################################
server {

                listen 443 ssl;
                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

#               add_header 'Access-Control-Max-Age' 1728000 'always';
#               add_header 'Access-Control-Allow-Origin' $http_origin 'always';
#               add_header 'Access-Control-Allow-Credentials' 'true' 'always';
#               add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' 'always';
#               add_header 'Access-Control-Allow-Headers' 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' 'always';

                location / {

#                       add_header 'Access-Control-Max-Age' 1728000 'always';
#                       add_header 'Access-Control-Allow-Origin' '*' 'always';
#                       add_header 'Access-Control-Allow-Credentials' 'true' 'always';
#                       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' 'always';
#                       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' 'always';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

#                       proxy_set_header 'Access-Control-Max-Age' 1728000;
#                       proxy_set_header 'Access-Control-Allow-Origin' '*';
#                       proxy_set_header 'Access-Control-Allow-Credentials' 'true';
#                       proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#                       proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }

##########################################################


Any ideas why this regression?

On Wed, Apr 12, 2017 at 10:54 PM, Ajay Garg <[hidden email]> wrote:
Hi Richard.

Thanks for the help.

I added 'always' as the last argument in all the "add_header" and "proxy_set_header" directives.
Unfortunately, I receive the following on the very first "add_header" directive ::

#####################################################
2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in "add_header" directive in /etc/nginx/sites-enabled/default:22
#####################################################


I guess the 'always' argument requires nginx >= 1.7.5.


Is there a pre-built package available for nginx?
Our linux-machine is ::

#####################################################
uname -a
Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
#####################################################

If not, I guess the link to use is http://nginx.org/en/docs/configure.html, but I am very afraid that I might miss something, so a pre-built package >= 1.7.5 (provided one exists) for our linux-machine would be great :)


Thanks for the help so far !!!


Thanks and Regards,
Ajay

On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <[hidden email]> wrote:
Your are using auth_basic, so the 401 response code is not in the range that add_header works with ("Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307."). You need to use "always" if you want to include the header in all responses. See the documentation for more details.


On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[hidden email]> wrote:
For the record, here is the server-block ::


#########################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Access-Control-Allow-Origin' $http_origin;
                add_header 'Access-Control-Allow-Credentials' 'true';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                location / {

                        add_header 'Access-Control-Max-Age' 1728000;
                        add_header 'Access-Control-Allow-Origin' '*';
                        add_header 'Access-Control-Allow-Credentials' 'true';
                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header 'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass $forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[hidden email]> wrote:
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).


Have tried everything I could find on the google, but nothing works (whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Richard Stanway
You're missing the "Authorization" header in your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "https://username:password@1.2.3.4/") rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[hidden email]> wrote:
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Francis Daly
In reply to this post by Ajay Garg
On Thu, Apr 13, 2017 at 08:20:15PM +0530, Ajay Garg wrote:

Hi there,

> There has been some progress, but still get a "CORS preflight did not
> succeed error".

What do the nginx logs say happened?

What should the nginx logs say, if everything worked the way you want
it to?

> Following is received in the firebug-console (sensitive information changed) ::

> Host                     1.2.3.4
> Origin                    null

Does anything different happen if you serve this html file from your
1.2.3.4 server, instead of (I presume) by reading a local file?

Will your final use case involve a local file, a resource from the 1.2.3.4
server, or something else?

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
In reply to this post by Richard Stanway
Hi Richard.

You have got me thinking ...
https://username:password@1.2.3.4/ works, even without ANY of the "add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <[hidden email]> wrote:
You're missing the "Authorization" header in your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "https://username:password@1.2.3.4/") rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[hidden email]> wrote:
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Richard Stanway
You're correct - placing the username and password in the URI is just as safe as any other method as long as it's going over HTTPS, and the credentials should never appear in any access logs (unless you specifically choose to log the Authorization header).

On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <[hidden email]> wrote:
Hi Richard.

You have got me thinking ...
https://username:password@1.2.3.4/ works, even without ANY of the "add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <[hidden email]> wrote:
You're missing the "Authorization" header in your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "https://username:password@1.2.3.4/") rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[hidden email]> wrote:
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Unable to resolve the "Access-Control-Allow-Origin" issue

Ajay Garg
Thanks a ton Richard !!

I will ask my colleague if this works in angularjs on Monday; my gut feel is it will :)
Thanks a ton guys !!!


Thanks and Regards,
Ajay

On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <[hidden email]> wrote:
You're correct - placing the username and password in the URI is just as safe as any other method as long as it's going over HTTPS, and the credentials should never appear in any access logs (unless you specifically choose to log the Authorization header).

On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <[hidden email]> wrote:
Hi Richard.

You have got me thinking ...
https://username:password@1.2.3.4/ works, even without ANY of the "add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <[hidden email]> wrote:
You're missing the "Authorization" header in your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "https://username:password@1.2.3.4/") rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[hidden email]> wrote:
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

                listen 443 ssl;

                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;

                add_header 'Access-Control-Max-Age' 1728000 'always';
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';
                add_header 'Access-Control-Allow-Credentials' 'true' 'always';
                add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
                add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

                location / {

                        auth_basic 'Restricted';
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;

                        proxy_set_header 'Access-Control-Max-Age' 1728000;
                        proxy_set_header 'Access-Control-Allow-Origin' '*';
                        proxy_set_header
'Access-Control-Allow-Credentials' 'true';
                        proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                        proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

                        proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

                }
        }
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
      if (this.readyState === 4) {
              console.log(this.responseText);
                }
});

xhr.open("GET", "https://1.2.3.4/");
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding   gzip, deflate, br
Accept-Language   en-US,en;q=0.5
Authorization         Basic abcdefg
Cache-Control       no-cache
Host                     1.2.3.4
Origin                    null
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx



--
Regards,
Ajay

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...