From 0439e7f691a265b2f26f54fe9ac1a3c75ed967ce Mon Sep 17 00:00:00 2001 From: Greg Date: Tue, 27 May 2025 01:12:43 +0200 Subject: [PATCH] refactor: move CORS config from global to route-specific locations in nginx.conf --- nginx.conf | 69 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/nginx.conf b/nginx.conf index adb15e6..d90c07e 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,37 +1,16 @@ -# Main server block server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; - + # Enable gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - # Global CORS configuration - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always; - - # Global OPTIONS handler - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - + # DATA API ENDPOINTS - NO AUTHENTICATION - # This location must be defined BEFORE the root location to take precedence location ^~ /data/ { - # Explicitly disable authentication for data API auth_basic off; - - # API Proxy configuration proxy_pass http://localhost:3000/data/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; @@ -40,27 +19,55 @@ server { proxy_cache_bypass $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # CORS headers + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always; + + # Preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } } - + # AUTHENTICATED APPLICATION ROUTES - # This covers all routes except those specifically excluded above location / { - # Apply authentication include /etc/nginx/auth.conf; - - # Serve static files try_files $uri $uri/ /index.html; + + # CORS headers + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always; + + # Preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } } - + # Enable browser caching for static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { - # Include authentication for static assets include /etc/nginx/auth.conf; - expires 30d; add_header Cache-Control "public, no-transform"; add_header 'Access-Control-Allow-Origin' '*' always; } +} + # Error pages error_page 404 /index.html;