I have an NGINX server with PHP (let's assume a hostname of http://myserver.com). I have a PHP script that I'm accessing via XHR from a web page on my localhost. I'm using it as a GeoIP server similar to freegeoip.net.
I'm trying to lock down XHR to specific domains.
Here's my config setup:
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param GEOIP_COUNTRY_CODE $geoip2_data_country_code;
fastcgi_param GEOIP_COUNTRY_NAME $geoip2_data_country_name;
fastcgi_param GEOIP_COUNTRY_GEONAME_ID $geoip2_data_country_geoname_id;
fastcgi_param GEOIP_CITY_NAME $geoip2_data_city_name;
fastcgi_param GEOIP_CITY_GEONAME_ID $geoip2_data_city_geoname_id;
fastcgi_param GEOIP_CONTINENT_CODE $geoip2_data_city_continent_code;
fastcgi_param GEOIP_CONTINENT_GEONAME_ID $geoip2_data_city_continent_geoname_id;
fastcgi_param GEOIP_LATITUDE $geoip2_data_city_location_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip2_data_city_location_longitude;
fastcgi_param GEOIP_TIME_ZONE $geoip2_data_city_location_timezone;
fastcgi_param GEOIP_ISP $geoip2_data_city_traits_isp;
fastcgi_param GEOIP_IP_ADDRESS $geoip2_data_city_traits_ip_address;
set $cors "";
if ($http_origin ~* 'https?://(www\.domain1\.com|www\.domain2\.com)')
{
set $cors "true";
}
if ($cors = 'true')
{
add_header 'Access-Control-Allow-Origin' "$http_origin";
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,Pragma,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
}
if ($request_method = 'OPTIONS')
{
return 204;
}
}
The issue I'm having is that when I execute the XHR request, I get the following error:
XMLHttpRequest cannot load http://myserver.com/. The 'Access-Control-Allow-Origin' header contains multiple values '*, http://localhost', but only one is allowed. Origin 'http://localhost' is therefore not allowed access.
I have only one call to add_header 'Access-Control-Allow-Origin' "$http_origin";
in the config file, so why do I have the multiple values? Is there a way I can disable the first call i.e. *
?
The 'Access-Control-Allow-Origin' header contains multiple values 'http://127.0.0.1:9000, http://127.0.0.1:9000', but only one is allowed. Origin 'http://127.0.0.1:9000' is therefore not allowed access. Fiddler shows me that there are indeed two header entries in the get request after a successful options request.
To enable CORS on NGINX, you need to use the add_header directive and add it to the appropriate NGINX configuration file. to allow access from any domain.
The Nginx add_header directive allows you to define an arbitrary response header and value to be included in all response codes, which are equal to 200 , 201 , 204 , 206 , 301 , 302 , 303 , 304 , or 307 . This can be defined from within your nginx.
So the mistake I made was that I had the following in my PHP file:
header('Access-Control-Allow-Origin: *');
I had set it up earlier and just forgot to take it out.
Everything works great now.
1.) Have the application dynamically approve and add the response header.
$allowed_domains = ['http://allowed.com','http://another_allowed.com'];
function add_cors_header() {
if (in_array($_SERVER['http_origin'], $allowed_domains)) {
header('Access-Control-Allow-Origin', $_SERVER['http_origin']);
}
}
2.) Or install the OpenResty version of Nginx with Lua enabled and do the same, but with Lua in the Nginx conf file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With