diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 24fb304e..b6a3d18c 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -59,6 +59,7 @@ nginx_client_max_body_size: 100M nginx_client_body_timeout: 240s nginx_cors_limit_origin: False +nginx_cors_extended_rules: False nginx_cors_acl_origin: 'http?://(localhost)' # Find a set of acceptable defaults for the cache setup @@ -109,56 +110,3 @@ nginx_use_common_virthost: False # include fastcgi_params; # } -# TODO: ckan, ssl with 80 -> 443 redirection, ssl only (no listening on 80). -# If nginx via ppa, proxy_protocol e http/2 too -# php, rewrite rules, acls, ldap auth -# More robust rules -# log format personalization (global, inside conf.d) -# CORS -# -# Special cases: mediawiki,... -# -# CORS example 1 - # set $cors ''; - # if ($http_origin ~* 'https?://(localhost|*\.example\.org)') { - # set $cors 'true'; - # } - - # if ($cors = 'true') { - # add_header 'Access-Control-Allow-Origin' "$http_origin"; - # add_header 'Access-Control-Allow-Credentials' 'true'; - # add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; - # add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With'; - # } - - # if ($request_method = 'OPTIONS') { - # return 204; - # } - -# CORS example 2 - # location / { - # if ($request_method = 'OPTIONS') { - # add_header 'Access-Control-Allow-Origin' '*'; - # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # # - # # Custom headers and headers various browsers *should* be OK with but aren't - # # - # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - # # - # # Tell client that this pre-flight info is valid for 20 days - # # - # add_header 'Access-Control-Max-Age' 1728000; - # add_header 'Content-Type' 'text/plain charset=UTF-8'; - # add_header 'Content-Length' 0; - # return 204; - # } - # if ($request_method = 'POST') { - # add_header 'Access-Control-Allow-Origin' '*'; - # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - # } - # if ($request_method = 'GET') { - # add_header 'Access-Control-Allow-Origin' '*'; - # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - # add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - # } diff --git a/nginx/templates/nginx-cors.conf.j2 b/nginx/templates/nginx-cors.conf.j2 index 9314fad6..9ad887f7 100644 --- a/nginx/templates/nginx-cors.conf.j2 +++ b/nginx/templates/nginx-cors.conf.j2 @@ -1,6 +1,7 @@ +{% if nginx_cors_extended_rules %} if ($request_method = 'OPTIONS') { {% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' "${{ nginx_cors_acl_origin }}"; + add_header 'Access-Control-Allow-Origin' "{{ nginx_cors_acl_origin }}"; add_header 'Access-Control-Allow-Credentials' 'true'; {% else %} add_header 'Access-Control-Allow-Origin' '*'; @@ -31,7 +32,7 @@ if ($request_method = 'POST') { } if ($request_method = 'GET') { {% if nginx_cors_limit_origin %} - add_header 'Access-Control-Allow-Origin' "${{ nginx_cors_acl_origin }}"; + add_header 'Access-Control-Allow-Origin' "{{ nginx_cors_acl_origin }}"; add_header 'Access-Control-Allow-Credentials' 'true'; {% else %} add_header 'Access-Control-Allow-Origin' '*'; @@ -40,3 +41,28 @@ if ($request_method = 'GET') { add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; } +{% else %} +{% if nginx_cors_limit_origin %} +set $cors ''; +if ($http_origin ~* '{{ nginx_cors_acl_origin }}') { + set $cors 'true'; +} +if ($cors = 'true') { +{% endif %} +{% if nginx_cors_limit_origin %} + add_header 'Access-Control-Allow-Origin' "$http_origin"; +{% else %} + add_header 'Access-Control-Allow-Origin' "$http_origin"; + # add_header 'Access-Control-Allow-Origin' "*"; +{% endif %} + add_header 'Access-Control-Allow-Credentials' 'true'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With'; +{% if nginx_cors_limit_origin %} +} +{% endif %} +if ($request_method = 'OPTIONS') { + return 204; +} +{% endif %} + diff --git a/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 b/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 index 5da25071..cc525ac3 100644 --- a/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 +++ b/smartgears/smartgears-nginx-frontend/templates/generic-smartgears-virtualhost.j2 @@ -65,10 +65,14 @@ server { location /{{ context }} { {% if smartgears_nginx_cors_enabled %} include /etc/nginx/snippets/nginx-cors.conf; + {% if nginx_cors_extended_rules %} proxy_pass http://localhost:{{ item.http_port }}; {% else %} proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; {% endif %} + {% else %} + proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; + {% endif %} } {% endif %} {% endif %} @@ -177,10 +181,14 @@ server { location /{{ context }} { {% if smartgears_nginx_cors_enabled %} include /etc/nginx/snippets/nginx-cors.conf; + {% if nginx_cors_extended_rules %} proxy_pass http://localhost:{{ item.http_port }}; {% else %} proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; {% endif %} + {% else %} + proxy_pass http://localhost:{{ item.http_port }}/{{ context }}; + {% endif %} } {% endif %} {% endif %}