./conf/cors/<site-name> Configuration Assuming that site-name is webapplicationconsultant.com and I want to enable credentials for varunbatra.com along it itself" /> ./conf/cors/<site-name> Configuration Assuming that site-name is webapplicationconsultant.com and I want to enable credentials for varunbatra.com along it itself" />

Enable CORS with Credentials in Nginx

You must have noticed that when enable cors with “*”, it doesn’t allow credential to pass. Solution to this is pretty simply, you just need to list all of your domains in configuration. My approach is to have a separate file for each domain.

Directory Structure:

./conf/site-enabled/<site-name>
./conf/cors/<site-name>

Configuration

Assuming that site-name is webapplicationconsultant.com and I want to enable credentials for varunbatra.com along it itself – This is how it goes:

#./conf/cors/webapplicationconsultant.com


set $cors '';
if ($http_origin ~ '^https?://(varunbatra\.com|webapplicationconsultant\.com)') {
        set $cors 'true';
}

if ($cors = 'true') {
        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
        # required to be able to read Authorization header in frontend
        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
}

if ($request_method = 'OPTIONS') {
        # Tell client that this pre-flight info is valid for 20 days
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
}
#./conf/site-enabled/webapplicationconsultant.com

server {
	listen 443 ssl;
	server_name webapplicationconsultant.com;
....	
        location / {
                include "./../cors/webapplicationconsultant.com";
                try_files $uri @app;
	}
	location @app {
...
	}
}

Enable CORS with Credentials in Nginx

8 thoughts on “Enable CORS with Credentials in Nginx

  1. Hi, Wondering if your able to help I’m new to CORS and trying to figure out what I might be doing wrong.
    I created ../nginx/cors/swagger

    set $cors ”;
    if ($http_origin ~ ‘^https?://(swagger\.some.com|nexus\.some.com)’) {
    set $cors ‘true’;
    }

    if ($cors = ‘true’) {
    add_header ‘Access-Control-Allow-Origin’ “$http_origin” always;
    add_header ‘Access-Control-Allow-Credentials’ ‘true’ always;
    add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, PUT, DELETE, OPTIONS’ always;
    add_header ‘Access-Control-Allow-Headers’ ‘api_key,Authorization,DNT,User-Agent,Keep-Alive,Content-Type,accept,origin,X-Requested-With’ always;
    # required to be able to read Authorization header in frontend
    #add_header ‘Access-Control-Expose-Headers’ ‘Authorization’ always;
    }

    if ($request_method = ‘OPTIONS’) {
    # Tell client that this pre-flight info is valid for 20 days
    add_header ‘Access-Control-Max-Age’ 1728000;
    add_header ‘Content-Type’ ‘text/plain charset=UTF-8’;
    add_header ‘Content-Length’ 0;
    return 204;
    }

    Then proxy looks like this

    server {
    listen 80;
    return 301 https://$host$request_uri;
    }

    server {

    listen 443;
    server_name nexus.some.com;

    ssl_certificate /something/fullchain.pem;
    ssl_certificate_key /something/privkey.pem;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;

    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log;

    location / {

    include “/etc/nginx/cors/swagger”;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken” error.
    proxy_pass http://localhost:8081;
    proxy_read_timeout 90;
    proxy_redirect http://localhost:8081 https://nexus.some.com;

    }
    }

    1. You have https but I don’t see you using proxy_set_header X-Forwarded-Proto https; in your proxy
      Other than first one, other two thoughts right now:

      1. Enable passing of all headers – I think it isn’t passing all headers
      http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
      2. Use multiple if instead of a single one:
      if ($http_origin ~ ‘^https?://(swagger\.some.com|nexus\.some.com)’) {
      set $cors ‘true’;
      }

  2. nginx: [emerg] “add_header” directive is not allowed here in /etc/nginx/snippets/cors2:14

    That will not work. Nginx doesn’t allow if

Leave a Reply to Konrad Cancel reply

Your email address will not be published. Required fields are marked *

Scroll to top