CORS错误仅发生在使用nginx代理上游服务器的PUT / POST上

xzabzqsa  于 2024-01-06  发布在  Nginx
关注(0)|答案(1)|浏览(318)

我在我的Jelastic服务器前面添加了一个流量分配器(nginx),它之前运行没有任何问题。
GET请求和登录POST工作正常,但是一旦登录,POST和PUT请求就会失败,并出现已知的CORS错误(这些是针对实际请求的,preflights工作正常):

  1. Access to XMLHttpRequest at '' from origin 'xyz' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

字符串
响应头为(错误代码为500):

  1. Content-Length:
  2. 383
  4. Content-Type:
  5. text/html
  6. Date:
  7. Thu, 20 Jul 2023 11:46:56 GMT
  8. Etag:
  9. "6194d09a-17f"
  10. Server:
  11. nginx


同样的错误也发生在Firefox上,也在另一台运行Linux的机器上进行了测试。
奇怪的是,它在Safari浏览器上工作。如果我在那里做同样的POST / PUT请求,我会得到这些响应头:

  1. :status: 201
  2. Access-Control-Allow-Origin: *
  3. Alt-Svc: h3=":443"; ma=86400
  4. Content-Length: 956
  5. Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
  6. Content-Type: application/json; charset=utf-8
  7. Cross-Origin-Opener-Policy: same-origin
  8. Date: Thu, 20 Jul 2023 11:12:56 GMT
  9. ETag: W/"3bc-A0RyA0BcEO6RQG+lbMpZAiISc0Y"
  10. origin-agent-cluster: ?1
  11. Referrer-Policy: no-referrer
  12. Server: nginx
  13. Strict-Transport-Security: max-age=15552000; includeSubDomains
  14. X-Content-Type-Options: nosniff
  15. X-DNS-Prefetch-Control: off
  16. x-download-options: noopen
  17. X-Frame-Options: SAMEORIGIN
  18. x-permitted-cross-domain-policies: none
  19. X-XSS-Protection: 0


来自Brave/Chrome的URL请求:

  1. curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
  2.   -X 'PUT' \
  3.   -H 'authority: dev-backend.xyz.app' \
  4.   -H 'accept: application/json, text/plain, */*' \
  5.   -H 'accept-language: en-GB,en;q=0.9' \
  6.   -H 'authorization: Bearer abcdef' \
  7.   -H 'content-type: application/json' \
  8.   -H 'origin: https://dev.xyz.app' \
  9.   -H 'referer: https://dev.xyz.app/' \
  10.   -H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Brave";v="114"' \
  11.   -H 'sec-ch-ua-mobile: ?0' \
  12.   -H 'sec-ch-ua-platform: "macOS"' \
  13.   -H 'sec-fetch-dest: empty' \
  14.   -H 'sec-fetch-mode: cors' \
  15.   -H 'sec-fetch-site: same-site' \
  16.   -H 'sec-gpc: 1' \
  17.   -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
  18.   --data-raw '{jsondata}"


Safari的URL请求:

  1. curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
  2. -X 'PUT' \
  3. -H 'Content-Type: application/json' \
  4. -H 'Accept: application/json, text/plain, */*' \
  5. -H 'Authorization: Bearer abcdef' \
  6. -H 'Sec-Fetch-Site: same-site' \
  7. -H 'Accept-Language: en-GB,en;q=0.9' \
  8. -H 'Accept-Encoding: gzip, deflate, br' \
  9. -H 'Sec-Fetch-Mode: cors' \
  10. -H 'Host: dev-backend.xyz.app' \
  11. -H 'Origin: https://dev.xyz.app' \
  12. -H 'Content-Length: 944' \
  13. -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.1.15' \
  14. -H 'Referer: https://dev.xyz.app/' \
  15. -H 'Connection: keep-alive' \
  16. -H 'Sec-Fetch-Dest: empty' \
  17. --data-binary '{jsondata}'


当前NGINX配置:

  1. location / {
  2.                         if ($request_method = 'OPTIONS') {
  3.                            add_header 'Access-Control-Allow-Origin' $http_origin;
  4.                             add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
  5.                             add_header 'Access-Control-Allow-Credentials' 'true';
  6.                             add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept';
  7.                             add_header 'Access-Control-Max-Age' 86400;
  8.                             return 204;
  9.                         }
  10.       
  11.                         add_header 'Access-Control-Allow-Origin' $http_origin;
  12.                         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
  13.                         add_header 'Access-Control-Allow-Credentials' 'true';
  14.                         add_header 'Access-Control-Allow-Headers' 'Range, Authorization, Content-Type, x-session-token';
  15.                         add_header 'Access-Control-Max-Age' 3600;
  16.                         
  18.                         proxy_pass http://common;
  19.                 }


任何帮助这是赞赏。
我尝试了各种nginx配置更改,到目前为止没有任何工作。

nginx

1条答案

按热度按时间
anhgbhbe

anhgbhbe1#

使用'always'和 * 来表示access-control-allow-origin。因为有时候您使用的Framework可能没有正确处理Pre-Flight请求,并且在这种情况下没有返回正确的响应。
检查:https://nginx.org/en/docs/http/ngx_http_headers_module.html
看看如何使用“总是”。
别忘了给我给予,如果这对你有帮助的话。
范例:

  1. location / {
  2.     add_header 'Access-Control-Allow-Origin' '*' always;
  3.     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
  4.     add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
  5.     add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
  7.     if ($request_method = 'OPTIONS') {
  8.         add_header 'Access-Control-Max-Age' 1728000 always;
  9.         add_header 'Content-Type' 'text/plain; charset=utf-8' always;
  10.         add_header 'Content-Length' 0 always;
  11.         return 204;
  12.     }
  14.     # Your other Nginx configurations...
  15. }

字符串

展开查看全部
赞(0)分享  回复(0)举报  2024-01-06
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com