Nginx Access-Control-Allow-Origin不起作用

时间:2015-12-30 19:50:31

标签: ajax nginx

尝试通过Ajax访问我的API,我收到此错误:

  

请求的资源上没有“Access-Control-Allow-Origin”标头。因此,不允许原点“http://localhost:9090”访问。响应的HTTP状态代码为404.

我的NGINX配置看起来像这样,我也在使用Varnish。

server {
    listen 127.0.0.1:8080;
    server_name api.example.cc;

    access_log /var/log/nginx/api.access.log combined;
    error_log /var/log/nginx/api.error.log;

    root /home/spark/api.example.cc/web;
    #index index.php;
    try_files $uri /index.php;

    set $cache_uri $request_uri;
    location / {
            add_header 'Access-Control-Allow-Origin' 'http://localhost:9090';
            add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
    }
}

卷曲-X选项-i http://api.example.cc结果:

HTTP/1.1 204 No Content
Server: nginx/1.8.0
Date: Wed, 30 Dec 2015 20:14:27 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
Access-Control-Max-Age: 1728000
Content-Type: text/plain charset=UTF-8
Content-Length: 0
X-Varnish: 65550
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive

curl -X GET / POST -i http://api.example.cc结果:

HTTP/1.1 403 Forbidden
Server: nginx/1.8.0
Date: Wed, 30 Dec 2015 20:23:17 GMT
Content-Type: text/html
Content-Length: 168
X-Varnish: 32823
Age: 0
Via: 1.1 varnish-v4
Connection: keep-alive

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.8.0</center>
</body>
</html>

3 个答案:

答案 0 :(得分:1)

配置

add_header 'Access-Control-Allow-Origin' 'http://localhost:9090';
            add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

之前&#34;位置/ {...}&#34;帮助我

答案 1 :(得分:0)

如果您在进行cors配置后运行404错误或无法绕过通过ajax访问api的cors安全策略,则可以尝试使用此nginx配置:

server {
    listen 127.0.0.1:8080;
    server_name api.example.cc;

    access_log /var/log/nginx/api.access.log combined;
    error_log /var/log/nginx/api.error.log;

    root /home/sites/api.cc/web;
    #index index.php;
    try_files $uri /index.php;

    location ~ \.php$ {
                    try_files $uri =404;
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;

                    # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                    # With php5-fpm:
                    fastcgi_pass unix:/var/run/php5-fpm.sock;
                    fastcgi_index index.php;
                    include fastcgi_params;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                 if ($request_method = 'OPTIONS') {
                    more_set_headers 'Access-Control-Allow-Origin *' ;
                    #
                    # Om nom nom cookies
                    #
                    more_set_headers 'Access-Control-Allow-Credentials true';
                    more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
                    #
                    # Custom headers and headers various browsers *should* be OK with but aren't
                    #
                    more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
                    # Tell client that this pre-flight info is valid for 20 days
                    #
                    more_set_headers 'Access-Control-Max-Age' 1728000;
                    more_set_headers 'Content-Type' 'text/plain charset=UTF-8';
                    more_set_headers 'Content-Length' 0;
                    return 204;
             }
            if ($request_method = 'POST') {
                    more_set_headers 'Access-Control-Allow-Origin *' ;
                    more_set_headers 'Access-Control-Allow-Credentials true';
                    more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
                    more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
            }
            if ($request_method = 'GET') {
                    more_set_headers 'Access-Control-Allow-Origin *' ;
                    more_set_headers 'Access-Control-Allow-Credentials true';
                    more_set_headers 'Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
                    more_set_headers 'Access-Control-Allow-Methods GET, POST, OPTIONS';
            }
    }

}

在您的nginx中使用more_set_headers

安装apt-get install nginx-extras

希望有所帮助

答案 2 :(得分:0)

对于其他面临相同类型问题的用户,还应该解决404错误,然后再对缺少Access-Control-Allow-Origin标头的问题进行排查。

如果Web服务器找不到请求的资源,则意味着永远不会执行您的应用程序代码,也永远不会设置标头。 Web服务器返回默认的404错误响应,其中不包含Access-Control-Allow-Origin标头。

解决404错误时,将执行您的应用程序代码,应根据需要设置响应头。