尝试通过Ajax访问我的API,我收到此错误:
请求的资源上没有“Access-Control-Allow-Origin”标头。因此,不允许原点“http://localhost:9090”访问。响应的HTTP状态代码为404.
我的NGINX配置看起来像这样,我也在使用Varnish。
server {
listen 127.0.0.1:8080;
server_name api.example.cc;
access_log /var/log/nginx/api.access.log combined;
error_log /var/log/nginx/api.error.log;
root /home/spark/api.example.cc/web;
#index index.php;
try_files $uri /index.php;
set $cache_uri $request_uri;
location / {
add_header 'Access-Control-Allow-Origin' 'http://localhost:9090';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
}
}
卷曲-X选项-i http://api.example.cc结果:
HTTP/1.1 204 No Content
Server: nginx/1.8.0
Date: Wed, 30 Dec 2015 20:14:27 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
Access-Control-Max-Age: 1728000
Content-Type: text/plain charset=UTF-8
Content-Length: 0
X-Varnish: 65550
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive
curl -X GET / POST -i http://api.example.cc结果:
HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 30 Dec 2015 20:23:17 GMT
Content-Type: text/html
Content-Length: 168
X-Varnish: 32823
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>
答案 0 :(得分:1)
配置
add_header 'Access-Control-Allow-Origin' 'http://localhost:9090';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
之前&#34;位置/ {...}&#34;帮助我
答案 1 :(得分:0)
如果您在进行cors配置后运行404错误或无法绕过通过ajax访问api的cors安全策略,则可以尝试使用此nginx配置:
server {
listen 127.0.0.1:8080;
server_name api.example.cc;
access_log /var/log/nginx/api.access.log combined;
error_log /var/log/nginx/api.error.log;
root /home/sites/api.cc/web;
#index index.php;
try_files $uri /index.php;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if ($request_method = 'OPTIONS') {
more_set_headers 'Access-Control-Allow-Origin *' ;
#
# Om nom nom cookies
#
more_set_headers 'Access-Control-Allow-Credentials true';
more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
# Tell client that this pre-flight info is valid for 20 days
#
more_set_headers 'Access-Control-Max-Age' 1728000;
more_set_headers 'Content-Type' 'text/plain charset=UTF-8';
more_set_headers 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
more_set_headers 'Access-Control-Allow-Origin *' ;
more_set_headers 'Access-Control-Allow-Credentials true';
more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
}
if ($request_method = 'GET') {
more_set_headers 'Access-Control-Allow-Origin *' ;
more_set_headers 'Access-Control-Allow-Credentials true';
more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
}
}
}
在您的nginx中使用more_set_headers
apt-get install nginx-extras
希望有所帮助
答案 2 :(得分:0)
对于其他面临相同类型问题的用户,还应该解决404
错误,然后再对缺少Access-Control-Allow-Origin
标头的问题进行排查。
如果Web服务器找不到请求的资源,则意味着永远不会执行您的应用程序代码,也永远不会设置标头。 Web服务器返回默认的404
错误响应,其中不包含Access-Control-Allow-Origin
标头。
解决404
错误时,将执行您的应用程序代码,应根据需要设置响应头。