CORS错误仅发生在使用nginx代理上游服务器的PUT / POST上

xzabzqsa  于 12个月前  发布在  Nginx
关注(0)|答案(1)|浏览(213)

我在我的Jelastic服务器前面添加了一个流量分配器(nginx),它之前运行没有任何问题。
GET请求和登录POST工作正常,但是一旦登录,POST和PUT请求就会失败,并出现已知的CORS错误(这些是针对实际请求的,preflights工作正常):

Access to XMLHttpRequest at '' from origin 'xyz' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

字符串
响应头为(错误代码为500):

Content-Length:
383

Content-Type:
text/html
Date:
Thu, 20 Jul 2023 11:46:56 GMT
Etag:
"6194d09a-17f"
Server:
nginx


同样的错误也发生在Firefox上,也在另一台运行Linux的机器上进行了测试。
奇怪的是,它在Safari浏览器上工作。如果我在那里做同样的POST / PUT请求,我会得到这些响应头:

:status: 201
Access-Control-Allow-Origin: *
Alt-Svc: h3=":443"; ma=86400
Content-Length: 956
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Cross-Origin-Opener-Policy: same-origin
Date: Thu, 20 Jul 2023 11:12:56 GMT
ETag: W/"3bc-A0RyA0BcEO6RQG+lbMpZAiISc0Y"
origin-agent-cluster: ?1
Referrer-Policy: no-referrer
Server: nginx
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
x-download-options: noopen
X-Frame-Options: SAMEORIGIN
x-permitted-cross-domain-policies: none
X-XSS-Protection: 0


来自Brave/Chrome的URL请求:

curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
  -X 'PUT' \
  -H 'authority: dev-backend.xyz.app' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en-GB,en;q=0.9' \
  -H 'authorization: Bearer abcdef' \
  -H 'content-type: application/json' \
  -H 'origin: https://dev.xyz.app' \
  -H 'referer: https://dev.xyz.app/' \
  -H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Brave";v="114"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-site' \
  -H 'sec-gpc: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
  --data-raw '{jsondata}"


Safari的URL请求:

curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
-X 'PUT' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Authorization: Bearer abcdef' \
-H 'Sec-Fetch-Site: same-site' \
-H 'Accept-Language: en-GB,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: dev-backend.xyz.app' \
-H 'Origin: https://dev.xyz.app' \
-H 'Content-Length: 944' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.1.15' \
-H 'Referer: https://dev.xyz.app/' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
--data-binary '{jsondata}'


当前NGINX配置:

location / {
                        if ($request_method = 'OPTIONS') {
                           add_header 'Access-Control-Allow-Origin' $http_origin;
                            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
                            add_header 'Access-Control-Allow-Credentials' 'true';
                            add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept';
                            add_header 'Access-Control-Max-Age' 86400;
                            return 204;
                        }
      
                        add_header 'Access-Control-Allow-Origin' $http_origin;
                        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
                        add_header 'Access-Control-Allow-Credentials' 'true';
                        add_header 'Access-Control-Allow-Headers' 'Range, Authorization, Content-Type, x-session-token';
                        add_header 'Access-Control-Max-Age' 3600;
                        

                        proxy_pass http://common;
                }


任何帮助这是赞赏。
我尝试了各种nginx配置更改,到目前为止没有任何工作。

anhgbhbe

anhgbhbe1#

使用'always'和 * 来表示access-control-allow-origin。因为有时候您使用的Framework可能没有正确处理Pre-Flight请求,并且在这种情况下没有返回正确的响应。
检查:https://nginx.org/en/docs/http/ngx_http_headers_module.html
看看如何使用“总是”。
别忘了给我给予,如果这对你有帮助的话。
范例:

location / {
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Max-Age' 1728000 always;
        add_header 'Content-Type' 'text/plain; charset=utf-8' always;
        add_header 'Content-Length' 0 always;
        return 204;
    }

    # Your other Nginx configurations...
}

字符串

相关问题