我在我的Jelastic服务器前面添加了一个流量分配器(nginx),它之前运行没有任何问题。
GET请求和登录POST工作正常,但是一旦登录,POST和PUT请求就会失败,并出现已知的CORS错误(这些是针对实际请求的,preflights工作正常):
Access to XMLHttpRequest at '' from origin 'xyz' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.字符串
响应头为(错误代码为500):
Content-Length:
383
Content-Type:
text/html
Date:
Thu, 20 Jul 2023 11:46:56 GMT
Etag:
"6194d09a-17f"
Server:
nginx型
同样的错误也发生在Firefox上,也在另一台运行Linux的机器上进行了测试。
奇怪的是,它在Safari浏览器上工作。如果我在那里做同样的POST / PUT请求,我会得到这些响应头:
:status: 201
Access-Control-Allow-Origin: *
Alt-Svc: h3=":443"; ma=86400
Content-Length: 956
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Cross-Origin-Opener-Policy: same-origin
Date: Thu, 20 Jul 2023 11:12:56 GMT
ETag: W/"3bc-A0RyA0BcEO6RQG+lbMpZAiISc0Y"
origin-agent-cluster: ?1
Referrer-Policy: no-referrer
Server: nginx
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
x-download-options: noopen
X-Frame-Options: SAMEORIGIN
x-permitted-cross-domain-policies: none
X-XSS-Protection: 0型
来自Brave/Chrome的URL请求:
curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
-X 'PUT' \
-H 'authority: dev-backend.xyz.app' \
-H 'accept: application/json, text/plain, */*' \
-H 'accept-language: en-GB,en;q=0.9' \
-H 'authorization: Bearer abcdef' \
-H 'content-type: application/json' \
-H 'origin: https://dev.xyz.app' \
-H 'referer: https://dev.xyz.app/' \
-H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Brave";v="114"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-site' \
-H 'sec-gpc: 1' \
-H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
--data-raw '{jsondata}"型
Safari的URL请求:
curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
-X 'PUT' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Authorization: Bearer abcdef' \
-H 'Sec-Fetch-Site: same-site' \
-H 'Accept-Language: en-GB,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: dev-backend.xyz.app' \
-H 'Origin: https://dev.xyz.app' \
-H 'Content-Length: 944' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.1.15' \
-H 'Referer: https://dev.xyz.app/' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
--data-binary '{jsondata}'型
当前NGINX配置:
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept';
add_header 'Access-Control-Max-Age' 86400;
return 204;
}
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Range, Authorization, Content-Type, x-session-token';
add_header 'Access-Control-Max-Age' 3600;
proxy_pass http://common;
}型
任何帮助这是赞赏。
我尝试了各种nginx配置更改,到目前为止没有任何工作。
1条答案
按热度按时间anhgbhbe1#
使用'always'和 * 来表示access-control-allow-origin。因为有时候您使用的Framework可能没有正确处理Pre-Flight请求,并且在这种情况下没有返回正确的响应。
检查:https://nginx.org/en/docs/http/ngx_http_headers_module.html
看看如何使用“总是”。
别忘了给我给予,如果这对你有帮助的话。
范例:
字符串