我有一个.Net 6应用程序,对于以下请求,它返回如下响应。请注意,存在Access-Control-Allow-Origin:
$ curl -i http://localhost:5081/Artworks/IMG_9346m.jpg -H "origin:https://m.beatajakimiak.art.pl" -H "referer:https://m.beatajakimiak.art.pl/" -o /dev/null -v
* Trying 127.0.0.1:5081...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (127.0.0.1) port 5081 (#0)
> GET /Artworks/IMG_9346m.jpg HTTP/1.1
> Host: localhost:5081
> User-Agent: curl/7.81.0
> Accept: */*
> origin:https://m.beatajakimiak.art.pl
> referer:https://m.beatajakimiak.art.pl/
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 465767
< Content-Type: image/jpeg
< Date: Thu, 24 Aug 2023 20:23:16 GMT
< Server: Kestrel
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: https://m.beatajakimiak.art.pl
< ETag: "1d837e79f7d7b67"
< Last-Modified: Mon, 14 Mar 2022 21:08:16 GMT
< Vary: Origin
<
{ [16384 bytes data]
100 454k 100 454k 0 0 39.8M 0 --:--:-- --:--:-- --:--:-- 40.3M
* Connection #0 to host localhost left intact我甚至在托管nginx和这个网站的机器上打开了5081端口,并直接调用了它。Access-Control-Allow-Origin在那里。CORS请求工作正常。我可以在Chrome开发工具的响应头中看到这个头。
我已经为它配置了Nginx代理如下:
server {
server_name beatajakimiak.art.pl www.beatajakimiak.art.pl;
include /etc/nginx/snippets/global.conf;
include /etc/nginx/snippets/global_images_cache.conf;
#access_log /var/log/nginx/beatajakimiak_art_pl/access.log;
error_log /var/log/nginx/beatajakimiak_art_pl/error.log;
root /srv/www/beatajakimiakwebsite/wwwroot;
location / {
proxy_pass http://localhost:5081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl; # managed by Certbot
... SSL CONFIGURATION ...
}global.conf看起来像这样:
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~ /\.ht {
deny all;
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";global_images_cache.conf看起来像这样:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
expires 1M;
add_header Cache-Control "public";
}现在,使用此配置,如果我用相同的curl调用我的网站,我不会在我的响应中获得EST-Control-Allow-Origin头。我尝试了其他自定义头,它们也没有被转发到响应:
$ curl -i https://beatajakimiak.art.pl/Artworks/IMG_9346m.jpg -H "origin:https://m.beatajakimiak.art.pl" -H "referer:https://m.beatajakimiak.art.pl/" -o /dev/null -v
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 83.11.166.97:443...
[... TLS ...]
> GET /Artworks/IMG_9346m.jpg HTTP/2
> Host: beatajakimiak.art.pl
> user-agent: curl/7.81.0
> accept: */*
> origin:https://m.beatajakimiak.art.pl
> referer:https://m.beatajakimiak.art.pl/
>
[... TLS ...]
< HTTP/2 200
< server: nginx/1.18.0 (Ubuntu)
< date: Thu, 24 Aug 2023 20:24:08 GMT
< content-type: image/jpeg
< content-length: 465767
< last-modified: Mon, 14 Mar 2022 21:08:16 GMT
< etag: "622faec0-71b67"
< expires: Sat, 23 Sep 2023 20:24:08 GMT
< cache-control: max-age=2592000
< cache-control: public
< accept-ranges: bytes
<
[... TLS ...]
100 454k 100 454k 0 0 7416k 0 --:--:-- --:--:-- --:--:-- 7456k
* Connection #0 to host beatajakimiak.art.pl left intact我的配置有什么问题,它隐藏了响应头?
1条答案
按热度按时间e37o9pze1#
我终于找到了我添加到每个网站的默认nginx
global_images_cache.conf片段处理静态jpg文件的请求,而不是代理网站。从网站的nginx配置中排除
global_images_cache.conf解决了我的问题。