Welcome! Log In Create A New Profile

Advanced

Unable to resolve the "Access-Control-Allow-Origin" issue

Posted by Ajay Garg 
Hi All.

We are facing the following issue :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
Allow-Origin' missing).

Have tried everything I could find on the google, but nothing works
(whatever I do in /etc/nginx/sites-available/default)


So, first question first, is it even possible to solve this issue on the
version, as per the information below ::

########################################################
nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro'
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock
--pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi
--http-proxy-temp-path=/var/lib/nginx/proxy
--http-scgi-temp-path=/var/lib/nginx/scgi
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
--with-ipv6 --with-http_ssl_module --with-http_stub_status_module
--with-http_realip_module --with-http_addition_module
--with-http_dav_module --with-http_flv_module --with-http_geoip_module
--with-http_gzip_static_module --with-http_image_filter_module
--with-http_mp4_module --with-http_perl_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_spdy_module --with-http_sub_module --with-http_xslt_module
--with-mail --with-mail_ssl_module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
--add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module
##########################################################



Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
For the record, here is the server-block ::


#########################################################
server {

listen 443 ssl;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

add_header 'Access-Control-Max-Age' 1728000;
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS';
add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

location / {

add_header 'Access-Control-Max-Age' 1728000;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials'
'true';
add_header 'Access-Control-Allow-Methods' 'GET,
POST, OPTIONS';
add_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/ssl/.htpasswd;

proxy_set_header 'Access-Control-Max-Age' 1728000;
proxy_set_header 'Access-Control-Allow-Origin' '*';
proxy_set_header 'Access-Control-Allow-Credentials'
'true';
proxy_set_header 'Access-Control-Allow-Methods'
'GET, POST, OPTIONS';
proxy_set_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

proxy_pass $forwarded_protocol://127.0.0.1:
$forwarded_port;

}
}
#########################################################

On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[email protected]> wrote:

> Hi All.
>
> We are facing the following issue :
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
> Allow-Origin' missing).
>
> Have tried everything I could find on the google, but nothing works
> (whatever I do in /etc/nginx/sites-available/default)
>
>
> So, first question first, is it even possible to solve this issue on the
> version, as per the information below ::
>
> ########################################################
> nginx -V
> nginx version: nginx/1.4.6 (Ubuntu)
> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
> TLS SNI support enabled
> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit
> --with-ipv6 --with-http_ssl_module --with-http_stub_status_module
> --with-http_realip_module --with-http_addition_module
> --with-http_dav_module --with-http_flv_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_mp4_module --with-http_perl_module --with-http_random_index_module
> --with-http_secure_link_module --with-http_spdy_module
> --with-http_sub_module --with-http_xslt_module --with-mail
> --with-mail_ssl_module --add-module=/build/nginx-9sG_
> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
> ngx_http_substitutions_filter_module
> ##########################################################
>
>
>
> Thanks and Regards,
> Ajay
>



--
Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Stanway
Re: Unable to resolve the "Access-Control-Allow-Origin" issue
April 12, 2017 05:10PM
Your are using auth_basic, so the 401 response code is not in the range
that add_header works with ("Adds the specified field to a response header
provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
304, or 307."). You need to use "always" if you want to include the header
in all responses. See the documentation for more details.

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[email protected]> wrote:

> For the record, here is the server-block ::
>
>
> #########################################################
> server {
>
> listen 443 ssl;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
> add_header 'Access-Control-Max-Age' 1728000;
> add_header 'Access-Control-Allow-Origin' $http_origin;
> add_header 'Access-Control-Allow-Credentials' 'true';
> add_header 'Access-Control-Allow-Methods' 'GET, POST,
> OPTIONS';
> add_header 'Access-Control-Allow-Headers'
> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-
> Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
> Control,Content-Type';
>
> location / {
>
> add_header 'Access-Control-Max-Age' 1728000;
> add_header 'Access-Control-Allow-Origin' '*';
> add_header 'Access-Control-Allow-Credentials'
> 'true';
> add_header 'Access-Control-Allow-Methods' 'GET,
> POST, OPTIONS';
> add_header 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
> auth_basic 'Restricted';
> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>
> proxy_set_header 'Access-Control-Max-Age' 1728000;
> proxy_set_header 'Access-Control-Allow-Origin' '*';
> proxy_set_header 'Access-Control-Allow-Credentials'
> 'true';
> proxy_set_header 'Access-Control-Allow-Methods'
> 'GET, POST, OPTIONS';
> proxy_set_header 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
> proxy_pass $forwarded_protocol://127.0.0.
> 1:$forwarded_port;
>
> }
> }
> #########################################################
>
> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[email protected]> wrote:
>
>> Hi All.
>>
>> We are facing the following issue :
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>> 'Access-Control-
>> Allow-Origin' missing).
>>
>> Have tried everything I could find on the google, but nothing works
>> (whatever I do in /etc/nginx/sites-available/default)
>>
>>
>> So, first question first, is it even possible to solve this issue on the
>> version, as per the information below ::
>>
>> ########################################################
>> nginx -V
>> nginx version: nginx/1.4.6 (Ubuntu)
>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>> TLS SNI support enabled
>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>> --http-client-body-temp-path=/var/lib/nginx/body
>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>> --http-proxy-temp-path=/var/lib/nginx/proxy
>> --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>> --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module
>> --with-http_stub_status_module --with-http_realip_module
>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>> --with-http_geoip_module --with-http_gzip_static_module
>> --with-http_image_filter_module --with-http_mp4_module
>> --with-http_perl_module --with-http_random_index_module
>> --with-http_secure_link_module --with-http_spdy_module
>> --with-http_sub_module --with-http_xslt_module --with-mail
>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>> ngx_http_substitutions_filter_module
>> ##########################################################
>>
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hi Richard.

Thanks for the help.

I added 'always' as the last argument in all the "add_header" and
"proxy_set_header" directives.
Unfortunately, I receive the following on the very first "add_header"
directive ::

#####################################################
2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in
"add_header" directive in /etc/nginx/sites-enabled/default:22
#####################################################


I guess the 'always' argument requires nginx >= 1.7.5.


Is there a pre-built package available for nginx?
Our linux-machine is ::

#####################################################
uname -a
Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC 2017
x86_64 x86_64 x86_64 GNU/Linux
#####################################################

If not, I guess the link to use is http://nginx.org/en/docs/configure.html,
but I am very afraid that I might miss something, so a pre-built package >=
1.7.5 (provided one exists) for our linux-machine would be great :)


Thanks for the help so far !!!


Thanks and Regards,
Ajay

On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <[email protected]>
wrote:

> Your are using auth_basic, so the 401 response code is not in the range
> that add_header works with ("Adds the specified field to a response header
> provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
> 304, or 307."). You need to use "always" if you want to include the header
> in all responses. See the documentation for more details.
>
> http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
>
> On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[email protected]> wrote:
>
>> For the record, here is the server-block ::
>>
>>
>> #########################################################
>> server {
>>
>> listen 443 ssl;
>>
>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>> add_header 'Access-Control-Max-Age' 1728000;
>> add_header 'Access-Control-Allow-Origin' $http_origin;
>> add_header 'Access-Control-Allow-Credentials' 'true';
>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>> OPTIONS';
>> add_header 'Access-Control-Allow-Headers'
>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,
>> User-Agent,X-Requested-With,If-Modified-Since,Cache-Contro
>> l,Content-Type';
>>
>> location / {
>>
>> add_header 'Access-Control-Max-Age' 1728000;
>> add_header 'Access-Control-Allow-Origin' '*';
>> add_header 'Access-Control-Allow-Credentials'
>> 'true';
>> add_header 'Access-Control-Allow-Methods' 'GET,
>> POST, OPTIONS';
>> add_header 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>> auth_basic 'Restricted';
>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>
>> proxy_set_header 'Access-Control-Max-Age' 1728000;
>> proxy_set_header 'Access-Control-Allow-Origin'
>> '*';
>> proxy_set_header 'Access-Control-Allow-Credentials'
>> 'true';
>> proxy_set_header 'Access-Control-Allow-Methods'
>> 'GET, POST, OPTIONS';
>> proxy_set_header 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>> proxy_pass $forwarded_protocol://127.0.0.
>> 1:$forwarded_port;
>>
>> }
>> }
>> #########################################################
>>
>> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[email protected]>
>> wrote:
>>
>>> Hi All.
>>>
>>> We are facing the following issue :
>>>
>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>>> 'Access-Control-
>>> Allow-Origin' missing).
>>>
>>> Have tried everything I could find on the google, but nothing works
>>> (whatever I do in /etc/nginx/sites-available/default)
>>>
>>>
>>> So, first question first, is it even possible to solve this issue on the
>>> version, as per the information below ::
>>>
>>> ########################################################
>>> nginx -V
>>> nginx version: nginx/1.4.6 (Ubuntu)
>>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>>> TLS SNI support enabled
>>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>>> --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log
>>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>>> --http-client-body-temp-path=/var/lib/nginx/body
>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>>> --http-proxy-temp-path=/var/lib/nginx/proxy
>>> --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
>>> --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module
>>> --with-http_stub_status_module --with-http_realip_module
>>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>>> --with-http_geoip_module --with-http_gzip_static_module
>>> --with-http_image_filter_module --with-http_mp4_module
>>> --with-http_perl_module --with-http_random_index_module
>>> --with-http_secure_link_module --with-http_spdy_module
>>> --with-http_sub_module --with-http_xslt_module --with-mail
>>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>>> ngx_http_substitutions_filter_module
>>> ##########################################################
>>>
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Wed, Apr 12, 2017 at 06:13:19PM +0530, Ajay Garg wrote:

Hi there,

> We are facing the following issue :
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
> remote resource at https://1.2.3.4/. (Reason: CORS header 'Access-Control-
> Allow-Origin' missing).

What's the issue, specifically?

It looks like your browser thinks it is talking to two web servers. Do
you think your browser is talking to two web servers? If not, that's
the problem to fix. Otherwise, you'll want to set suitable headers in
the response from the first web server.

If your browser should only be talking to https://1.2.3.4/, and everything
else should be reverse-proxied behind that, then the problem is that
some part of a back-end is leaking through, and the network allows the
browser to talk directly to something that it should not be talking to.

A later mail shows some nginx config, but it is not clear to me if that
is on the 1.2.3.4 server or on a different server; and it is not clear
to me why many of the add_header and proxy_set_header lines are there.

I suspect that if you can get a clear understanding of the issue, and of
what should be happening, then the path to configuring things to allow
to all to happen will become clearer.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Upgraded to 1.11

Now, things get worse, I am not being prompted for any credentials (even
with all browser cache cleared), even with the following
/etc/nginx/conf.d/default.conf


##########################################################
server {

listen 443 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

# add_header 'Access-Control-Max-Age' 1728000 'always';
# add_header 'Access-Control-Allow-Origin' $http_origin
'always';
# add_header 'Access-Control-Allow-Credentials' 'true'
'always';
# add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
# add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

location / {

# add_header 'Access-Control-Max-Age' 1728000
'always';
# add_header 'Access-Control-Allow-Origin' '*'
'always';
# add_header 'Access-Control-Allow-Credentials'
'true' 'always';
# add_header 'Access-Control-Allow-Methods' 'GET,
POST, OPTIONS' 'always';
# add_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/ssl/.htpasswd;

# proxy_set_header 'Access-Control-Max-Age' 1728000;
# proxy_set_header 'Access-Control-Allow-Origin' '*';
# proxy_set_header 'Access-Control-Allow-Credentials'
'true';
# proxy_set_header 'Access-Control-Allow-Methods'
'GET, POST, OPTIONS';
# proxy_set_header 'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

proxy_pass $forwarded_protocol://127.0.0.1:
$forwarded_port;

}
}

##########################################################


Any ideas why this regression?

On Wed, Apr 12, 2017 at 10:54 PM, Ajay Garg <[email protected]> wrote:

> Hi Richard.
>
> Thanks for the help.
>
> I added 'always' as the last argument in all the "add_header" and
> "proxy_set_header" directives.
> Unfortunately, I receive the following on the very first "add_header"
> directive ::
>
> #####################################################
> 2017/04/12 17:18:22 [emerg] 28540#0: invalid number of arguments in
> "add_header" directive in /etc/nginx/sites-enabled/default:22
> #####################################################
>
>
> I guess the 'always' argument requires nginx >= 1.7.5.
>
>
> Is there a pre-built package available for nginx?
> Our linux-machine is ::
>
> #####################################################
> uname -a
> Linux proxy 3.13.0-108-generic #155-Ubuntu SMP Wed Jan 11 16:58:52 UTC
> 2017 x86_64 x86_64 x86_64 GNU/Linux
> #####################################################
>
> If not, I guess the link to use is http://nginx.org/en/docs/configure.html,
> but I am very afraid that I might miss something, so a pre-built package >=
> 1.7.5 (provided one exists) for our linux-machine would be great :)
>
>
> Thanks for the help so far !!!
>
>
> Thanks and Regards,
> Ajay
>
> On Wed, Apr 12, 2017 at 8:30 PM, Richard Stanway <
> [email protected]> wrote:
>
>> Your are using auth_basic, so the 401 response code is not in the range
>> that add_header works with ("Adds the specified field to a response header
>> provided that the response code equals 200, 201, 204, 206, 301, 302, 303,
>> 304, or 307."). You need to use "always" if you want to include the header
>> in all responses. See the documentation for more details.
>>
>> http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
>>
>> On Wed, Apr 12, 2017 at 4:48 PM, Ajay Garg <[email protected]>
>> wrote:
>>
>>> For the record, here is the server-block ::
>>>
>>>
>>> #########################################################
>>> server {
>>>
>>> listen 443 ssl;
>>>
>>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>> add_header 'Access-Control-Max-Age' 1728000;
>>> add_header 'Access-Control-Allow-Origin' $http_origin;
>>> add_header 'Access-Control-Allow-Credentials' 'true';
>>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>> OPTIONS';
>>> add_header 'Access-Control-Allow-Headers'
>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,
>>> Content-Type';
>>>
>>> location / {
>>>
>>> add_header 'Access-Control-Max-Age' 1728000;
>>> add_header 'Access-Control-Allow-Origin' '*';
>>> add_header 'Access-Control-Allow-Credentials'
>>> 'true';
>>> add_header 'Access-Control-Allow-Methods' 'GET,
>>> POST, OPTIONS';
>>> add_header 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>> auth_basic 'Restricted';
>>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>
>>> proxy_set_header 'Access-Control-Max-Age'
>>> 1728000;
>>> proxy_set_header 'Access-Control-Allow-Origin'
>>> '*';
>>> proxy_set_header 'Access-Control-Allow-Credentials'
>>> 'true';
>>> proxy_set_header 'Access-Control-Allow-Methods'
>>> 'GET, POST, OPTIONS';
>>> proxy_set_header 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>> proxy_pass $forwarded_protocol://127.0.0.
>>> 1:$forwarded_port;
>>>
>>> }
>>> }
>>> #########################################################
>>>
>>> On Wed, Apr 12, 2017 at 6:13 PM, Ajay Garg <[email protected]>
>>> wrote:
>>>
>>>> Hi All.
>>>>
>>>> We are facing the following issue :
>>>>
>>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>>> the remote resource at https://1.2.3.4/. (Reason: CORS header
>>>> 'Access-Control-
>>>> Allow-Origin' missing).
>>>>
>>>> Have tried everything I could find on the google, but nothing works
>>>> (whatever I do in /etc/nginx/sites-available/default)
>>>>
>>>>
>>>> So, first question first, is it even possible to solve this issue on
>>>> the version, as per the information below ::
>>>>
>>>> ########################################################
>>>> nginx -V
>>>> nginx version: nginx/1.4.6 (Ubuntu)
>>>> built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
>>>> TLS SNI support enabled
>>>> configure arguments: --with-cc-opt='-g -O2 -fstack-protector
>>>> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>>>> -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions
>>>> -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf
>>>> --http-log-path=/var/log/nginx/access.log
>>>> --error-log-path=/var/log/nginx/error.log
>>>> --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
>>>> --http-client-body-temp-path=/var/lib/nginx/body
>>>> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
>>>> --http-proxy-temp-path=/var/lib/nginx/proxy
>>>> --http-scgi-temp-path=/var/lib/nginx/scgi
>>>> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug
>>>> --with-pcre-jit --with-ipv6 --with-http_ssl_module
>>>> --with-http_stub_status_module --with-http_realip_module
>>>> --with-http_addition_module --with-http_dav_module --with-http_flv_module
>>>> --with-http_geoip_module --with-http_gzip_static_module
>>>> --with-http_image_filter_module --with-http_mp4_module
>>>> --with-http_perl_module --with-http_random_index_module
>>>> --with-http_secure_link_module --with-http_spdy_module
>>>> --with-http_sub_module --with-http_xslt_module --with-mail
>>>> --with-mail_ssl_module --add-module=/build/nginx-9sG_
>>>> hy/nginx-1.4.6/debian/modules/headers-more-nginx-module
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-auth-pam
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-cache-purge
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-dav-ext-module
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-development-kit
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-echo
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/ngx-fancyindex
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-http-push
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-lua
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upload-progress
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/nginx-upstream-fair
>>>> --add-module=/build/nginx-9sG_hy/nginx-1.4.6/debian/modules/
>>>> ngx_http_substitutions_filter_module
>>>> ##########################################################
>>>>
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Ajay
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>



--
Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Strange, but rebooting the machine caused the credentials-popup to be
seen again :-|
Sorry for the noise here.

There has been some progress, but still get a "CORS preflight did not
succeed error".
Following is what I am doing.


a)
Following is the server-block in /etc/nginx/conf.d/default.conf ::

##########################################################################
server {

listen 443 ssl;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

add_header 'Access-Control-Max-Age' 1728000 'always';
add_header 'Access-Control-Allow-Origin' $http_origin 'always';
add_header 'Access-Control-Allow-Credentials' 'true' 'always';
add_header 'Access-Control-Allow-Methods' 'GET, POST,
OPTIONS' 'always';
add_header 'Access-Control-Allow-Headers'
'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
'always';

location / {

auth_basic 'Restricted';
auth_basic_user_file /etc/nginx/ssl/.htpasswd;

proxy_set_header 'Access-Control-Max-Age' 1728000;
proxy_set_header 'Access-Control-Allow-Origin' '*';
proxy_set_header
'Access-Control-Allow-Credentials' 'true';
proxy_set_header
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
proxy_set_header
'Access-Control-Allow-Headers'
'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

proxy_pass
$forwarded_protocol://127.0.0.1:$forwarded_port;

}
}
##########################################################################




b)
Firing the following html from firefox (sensitive information changed) ::

##########################################################################
<html>
<body>
<script type="text/javascript">
var data = null;

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
if (this.readyState === 4) {
console.log(this.responseText);
}
});

xhr.open("GET", "https://1.2.3.4/";);
xhr.setRequestHeader("authorization", "Basic abcdefg");
xhr.setRequestHeader("cache-control", "no-cache");

xhr.send(data);
</script>
</body>
</html>
##########################################################################



Following is received in the firebug-console (sensitive information changed) ::

##########################################################################
GET https://23.253.207.208/
uff.html (line 19)
Headers

Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate, br
Accept-Language en-US,en;q=0.5
Authorization Basic abcdefg
Cache-Control no-cache
Host 1.2.3.4
Origin null
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
Gecko/20100101 Firefox/47.0


Cross-Origin Request Blocked: The Same Origin Policy disallows reading
the remote resource at https://1.2.3.4/. (Reason: CORS preflight
channel did not succeed).
##########################################################################


I am beginning to believe that I am close to solving the issue (of
course all credit to tremendous help from this list).
I will be grateful for the last bit of help being received by the
really helpful experts here..

Sorry again for the noise in my previous email.


Thanks and Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Stanway
Re: Unable to resolve the "Access-Control-Allow-Origin" issue
April 13, 2017 07:40PM
You're missing the "Authorization" header in
your Access-Control-Allow-Headers directive.

You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "
https://username:[email protected]/";) rather than crafting it manually.

On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]> wrote:

> Strange, but rebooting the machine caused the credentials-popup to be
> seen again :-|
> Sorry for the noise here.
>
> There has been some progress, but still get a "CORS preflight did not
> succeed error".
> Following is what I am doing.
>
>
> a)
> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>
> ##########################################################################
> server {
>
> listen 443 ssl;
>
> ssl_certificate /etc/nginx/ssl/nginx.crt;
> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>
> add_header 'Access-Control-Max-Age' 1728000 'always';
> add_header 'Access-Control-Allow-Origin' $http_origin
> 'always';
> add_header 'Access-Control-Allow-Credentials' 'true'
> 'always';
> add_header 'Access-Control-Allow-Methods' 'GET, POST,
> OPTIONS' 'always';
> add_header 'Access-Control-Allow-Headers'
> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-
> Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-
> Control,Content-Type'
> 'always';
>
> location / {
>
> auth_basic 'Restricted';
> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>
> proxy_set_header 'Access-Control-Max-Age' 1728000;
> proxy_set_header 'Access-Control-Allow-Origin' '*';
> proxy_set_header
> 'Access-Control-Allow-Credentials' 'true';
> proxy_set_header
> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
> proxy_set_header
> 'Access-Control-Allow-Headers'
> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-
> With,If-Modified-Since,Cache-Control,Content-Type';
>
> proxy_pass
> $forwarded_protocol://127.0.0.1:$forwarded_port;
>
> }
> }
> ##########################################################################
>
>
>
>
> b)
> Firing the following html from firefox (sensitive information changed) ::
>
> ##########################################################################
> <html>
> <body>
> <script type="text/javascript">
> var data = null;
>
> var xhr = new XMLHttpRequest();
> xhr.withCredentials = true;
>
> xhr.addEventListener("readystatechange", function () {
> if (this.readyState === 4) {
> console.log(this.responseText);
> }
> });
>
> xhr.open("GET", "https://1.2.3.4/";);
> xhr.setRequestHeader("authorization", "Basic abcdefg");
> xhr.setRequestHeader("cache-control", "no-cache");
>
> xhr.send(data);
> </script>
> </body>
> </html>
> ##########################################################################
>
>
>
> Following is received in the firebug-console (sensitive information
> changed) ::
>
> ##########################################################################
> GET https://23.253.207.208/
> uff.html (line 19)
> Headers
>
> Accept
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Encoding gzip, deflate, br
> Accept-Language en-US,en;q=0.5
> Authorization Basic abcdefg
> Cache-Control no-cache
> Host 1.2.3.4
> Origin null
> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
> Gecko/20100101 Firefox/47.0
>
>
> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
> channel did not succeed).
> ##########################################################################
>
>
> I am beginning to believe that I am close to solving the issue (of
> course all credit to tremendous help from this list).
> I will be grateful for the last bit of help being received by the
> really helpful experts here..
>
> Sorry again for the noise in my previous email.
>
>
> Thanks and Regards,
> Ajay
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
On Thu, Apr 13, 2017 at 08:20:15PM +0530, Ajay Garg wrote:

Hi there,

> There has been some progress, but still get a "CORS preflight did not
> succeed error".

What do the nginx logs say happened?

What should the nginx logs say, if everything worked the way you want
it to?

> Following is received in the firebug-console (sensitive information changed) ::

> Host 1.2.3.4
> Origin null

Does anything different happen if you serve this html file from your
1.2.3.4 server, instead of (I presume) by reading a local file?

Will your final use case involve a local file, a resource from the 1.2.3.4
server, or something else?

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hi Richard.

You have got me thinking ...
https://username:[email protected]/ works, even without ANY of the
"add_header" and "proxy_set_header" directives.

So, now the only thing that worries me is security.

http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https
indicates that the URL is safe, in the sense that "username" and "password"
would not be sniffable through a man-in-the-middle attack, right?

Also, since 1.2.3.4 is our own server, so we are not really bothered about
GET-requests getting logged on the server, so we should be good.

Do I make sense?

Kindly let know your thoughts.


Thanks and Regards,
Ajay

On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <[email protected]
> wrote:

> You're missing the "Authorization" header in your Access-Control-Allow-Headers
> directive.
>
> You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "
> https://username:[email protected]/";) rather than crafting it manually.
>
> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]> wrote:
>
>> Strange, but rebooting the machine caused the credentials-popup to be
>> seen again :-|
>> Sorry for the noise here.
>>
>> There has been some progress, but still get a "CORS preflight did not
>> succeed error".
>> Following is what I am doing.
>>
>>
>> a)
>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>
>> ############################################################
>> ##############
>> server {
>>
>> listen 443 ssl;
>>
>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>
>> add_header 'Access-Control-Max-Age' 1728000 'always';
>> add_header 'Access-Control-Allow-Origin' $http_origin
>> 'always';
>> add_header 'Access-Control-Allow-Credentials' 'true'
>> 'always';
>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>> OPTIONS' 'always';
>> add_header 'Access-Control-Allow-Headers'
>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,
>> User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>> 'always';
>>
>> location / {
>>
>> auth_basic 'Restricted';
>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>
>> proxy_set_header 'Access-Control-Max-Age' 1728000;
>> proxy_set_header 'Access-Control-Allow-Origin'
>> '*';
>> proxy_set_header
>> 'Access-Control-Allow-Credentials' 'true';
>> proxy_set_header
>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>> proxy_set_header
>> 'Access-Control-Allow-Headers'
>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,
>> If-Modified-Since,Cache-Control,Content-Type';
>>
>> proxy_pass
>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>
>> }
>> }
>> ############################################################
>> ##############
>>
>>
>>
>>
>> b)
>> Firing the following html from firefox (sensitive information changed) ::
>>
>> ############################################################
>> ##############
>> <html>
>> <body>
>> <script type="text/javascript">
>> var data = null;
>>
>> var xhr = new XMLHttpRequest();
>> xhr.withCredentials = true;
>>
>> xhr.addEventListener("readystatechange", function () {
>> if (this.readyState === 4) {
>> console.log(this.responseText);
>> }
>> });
>>
>> xhr.open("GET", "https://1.2.3.4/";);
>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>> xhr.setRequestHeader("cache-control", "no-cache");
>>
>> xhr.send(data);
>> </script>
>> </body>
>> </html>
>> ############################################################
>> ##############
>>
>>
>>
>> Following is received in the firebug-console (sensitive information
>> changed) ::
>>
>> ############################################################
>> ##############
>> GET https://23.253.207.208/
>> uff.html (line 19)
>> Headers
>>
>> Accept
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Encoding gzip, deflate, br
>> Accept-Language en-US,en;q=0.5
>> Authorization Basic abcdefg
>> Cache-Control no-cache
>> Host 1.2.3.4
>> Origin null
>> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>> Gecko/20100101 Firefox/47.0
>>
>>
>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>> channel did not succeed).
>> ############################################################
>> ##############
>>
>>
>> I am beginning to believe that I am close to solving the issue (of
>> course all credit to tremendous help from this list).
>> I will be grateful for the last bit of help being received by the
>> really helpful experts here..
>>
>> Sorry again for the noise in my previous email.
>>
>>
>> Thanks and Regards,
>> Ajay
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Stanway
Re: Unable to resolve the "Access-Control-Allow-Origin" issue
April 14, 2017 01:40PM
You're correct - placing the username and password in the URI is just as
safe as any other method as long as it's going over HTTPS, and the
credentials should never appear in any access logs (unless you specifically
choose to log the Authorization header).

On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <[email protected]> wrote:

> Hi Richard.
>
> You have got me thinking ...
> https://username:[email protected]/ works, even without ANY of the
> "add_header" and "proxy_set_header" directives.
>
> So, now the only thing that worries me is security.
>
> http://stackoverflow.com/questions/4143196/is-get-data-
> also-encrypted-in-https indicates that the URL is safe, in the sense that
> "username" and "password" would not be sniffable through a
> man-in-the-middle attack, right?
>
> Also, since 1.2.3.4 is our own server, so we are not really bothered about
> GET-requests getting logged on the server, so we should be good.
>
> Do I make sense?
>
> Kindly let know your thoughts.
>
>
> Thanks and Regards,
> Ajay
>
> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
> [email protected]> wrote:
>
>> You're missing the "Authorization" header in
>> your Access-Control-Allow-Headers directive.
>>
>> You can alternatively pass the basic auth in your URI, eg xhr.open("GET",
>> "https://username:[email protected]/";) rather than crafting it manually.
>>
>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]>
>> wrote:
>>
>>> Strange, but rebooting the machine caused the credentials-popup to be
>>> seen again :-|
>>> Sorry for the noise here.
>>>
>>> There has been some progress, but still get a "CORS preflight did not
>>> succeed error".
>>> Following is what I am doing.
>>>
>>>
>>> a)
>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>
>>> ############################################################
>>> ##############
>>> server {
>>>
>>> listen 443 ssl;
>>>
>>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>
>>> add_header 'Access-Control-Max-Age' 1728000 'always';
>>> add_header 'Access-Control-Allow-Origin' $http_origin
>>> 'always';
>>> add_header 'Access-Control-Allow-Credentials' 'true'
>>> 'always';
>>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>> OPTIONS' 'always';
>>> add_header 'Access-Control-Allow-Headers'
>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'
>>> 'always';
>>>
>>> location / {
>>>
>>> auth_basic 'Restricted';
>>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>
>>> proxy_set_header 'Access-Control-Max-Age'
>>> 1728000;
>>> proxy_set_header 'Access-Control-Allow-Origin'
>>> '*';
>>> proxy_set_header
>>> 'Access-Control-Allow-Credentials' 'true';
>>> proxy_set_header
>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>> proxy_set_header
>>> 'Access-Control-Allow-Headers'
>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>> f-Modified-Since,Cache-Control,Content-Type';
>>>
>>> proxy_pass
>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>
>>> }
>>> }
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>>
>>> b)
>>> Firing the following html from firefox (sensitive information changed) ::
>>>
>>> ############################################################
>>> ##############
>>> <html>
>>> <body>
>>> <script type="text/javascript">
>>> var data = null;
>>>
>>> var xhr = new XMLHttpRequest();
>>> xhr.withCredentials = true;
>>>
>>> xhr.addEventListener("readystatechange", function () {
>>> if (this.readyState === 4) {
>>> console.log(this.responseText);
>>> }
>>> });
>>>
>>> xhr.open("GET", "https://1.2.3.4/";);
>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>
>>> xhr.send(data);
>>> </script>
>>> </body>
>>> </html>
>>> ############################################################
>>> ##############
>>>
>>>
>>>
>>> Following is received in the firebug-console (sensitive information
>>> changed) ::
>>>
>>> ############################################################
>>> ##############
>>> GET https://23.253.207.208/
>>> uff.html (line 19)
>>> Headers
>>>
>>> Accept
>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Encoding gzip, deflate, br
>>> Accept-Language en-US,en;q=0.5
>>> Authorization Basic abcdefg
>>> Cache-Control no-cache
>>> Host 1.2.3.4
>>> Origin null
>>> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>> Gecko/20100101 Firefox/47.0
>>>
>>>
>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>> channel did not succeed).
>>> ############################################################
>>> ##############
>>>
>>>
>>> I am beginning to believe that I am close to solving the issue (of
>>> course all credit to tremendous help from this list).
>>> I will be grateful for the last bit of help being received by the
>>> really helpful experts here..
>>>
>>> Sorry again for the noise in my previous email.
>>>
>>>
>>> Thanks and Regards,
>>> Ajay
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
>
> --
> Regards,
> Ajay
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Thanks a ton Richard !!

I will ask my colleague if this works in angularjs on Monday; my gut feel
is it will :)
Thanks a ton guys !!!


Thanks and Regards,
Ajay

On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <[email protected]>
wrote:

> You're correct - placing the username and password in the URI is just as
> safe as any other method as long as it's going over HTTPS, and the
> credentials should never appear in any access logs (unless you specifically
> choose to log the Authorization header).
>
> On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <[email protected]> wrote:
>
>> Hi Richard.
>>
>> You have got me thinking ...
>> https://username:[email protected]/ works, even without ANY of the
>> "add_header" and "proxy_set_header" directives.
>>
>> So, now the only thing that worries me is security.
>>
>> http://stackoverflow.com/questions/4143196/is-get-data-also-
>> encrypted-in-https indicates that the URL is safe, in the sense that
>> "username" and "password" would not be sniffable through a
>> man-in-the-middle attack, right?
>>
>> Also, since 1.2.3.4 is our own server, so we are not really bothered
>> about GET-requests getting logged on the server, so we should be good.
>>
>> Do I make sense?
>>
>> Kindly let know your thoughts.
>>
>>
>> Thanks and Regards,
>> Ajay
>>
>> On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <
>> [email protected]> wrote:
>>
>>> You're missing the "Authorization" header in
>>> your Access-Control-Allow-Headers directive.
>>>
>>> You can alternatively pass the basic auth in your URI, eg
>>> xhr.open("GET", "https://username:[email protected]/";) rather than
>>> crafting it manually.
>>>
>>> On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <[email protected]>
>>> wrote:
>>>
>>>> Strange, but rebooting the machine caused the credentials-popup to be
>>>> seen again :-|
>>>> Sorry for the noise here.
>>>>
>>>> There has been some progress, but still get a "CORS preflight did not
>>>> succeed error".
>>>> Following is what I am doing.
>>>>
>>>>
>>>> a)
>>>> Following is the server-block in /etc/nginx/conf.d/default.conf ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> server {
>>>>
>>>> listen 443 ssl;
>>>>
>>>> ssl_certificate /etc/nginx/ssl/nginx.crt;
>>>> ssl_certificate_key /etc/nginx/ssl/nginx.key;
>>>>
>>>> add_header 'Access-Control-Max-Age' 1728000 'always';
>>>> add_header 'Access-Control-Allow-Origin' $http_origin
>>>> 'always';
>>>> add_header 'Access-Control-Allow-Credentials' 'true'
>>>> 'always';
>>>> add_header 'Access-Control-Allow-Methods' 'GET, POST,
>>>> OPTIONS' 'always';
>>>> add_header 'Access-Control-Allow-Headers'
>>>> 'DNT,Access-Control-Allow-Origin,X-CustomHeader,Keep-Alive,U
>>>> ser-Agent,X-Requested-With,If-Modified-Since,Cache-Control,C
>>>> ontent-Type'
>>>> 'always';
>>>>
>>>> location / {
>>>>
>>>> auth_basic 'Restricted';
>>>> auth_basic_user_file /etc/nginx/ssl/.htpasswd;
>>>>
>>>> proxy_set_header 'Access-Control-Max-Age'
>>>> 1728000;
>>>> proxy_set_header 'Access-Control-Allow-Origin'
>>>> '*';
>>>> proxy_set_header
>>>> 'Access-Control-Allow-Credentials' 'true';
>>>> proxy_set_header
>>>> 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
>>>> proxy_set_header
>>>> 'Access-Control-Allow-Headers'
>>>> 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,I
>>>> f-Modified-Since,Cache-Control,Content-Type';
>>>>
>>>> proxy_pass
>>>> $forwarded_protocol://127.0.0.1:$forwarded_port;
>>>>
>>>> }
>>>> }
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>>
>>>> b)
>>>> Firing the following html from firefox (sensitive information changed)
>>>> ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> <html>
>>>> <body>
>>>> <script type="text/javascript">
>>>> var data = null;
>>>>
>>>> var xhr = new XMLHttpRequest();
>>>> xhr.withCredentials = true;
>>>>
>>>> xhr.addEventListener("readystatechange", function () {
>>>> if (this.readyState === 4) {
>>>> console.log(this.responseText);
>>>> }
>>>> });
>>>>
>>>> xhr.open("GET", "https://1.2.3.4/";);
>>>> xhr.setRequestHeader("authorization", "Basic abcdefg");
>>>> xhr.setRequestHeader("cache-control", "no-cache");
>>>>
>>>> xhr.send(data);
>>>> </script>
>>>> </body>
>>>> </html>
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>>
>>>> Following is received in the firebug-console (sensitive information
>>>> changed) ::
>>>>
>>>> ############################################################
>>>> ##############
>>>> GET https://23.253.207.208/
>>>> uff.html (line 19)
>>>> Headers
>>>>
>>>> Accept
>>>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>>> Accept-Encoding gzip, deflate, br
>>>> Accept-Language en-US,en;q=0.5
>>>> Authorization Basic abcdefg
>>>> Cache-Control no-cache
>>>> Host 1.2.3.4
>>>> Origin null
>>>> User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)
>>>> Gecko/20100101 Firefox/47.0
>>>>
>>>>
>>>> Cross-Origin Request Blocked: The Same Origin Policy disallows reading
>>>> the remote resource at https://1.2.3.4/. (Reason: CORS preflight
>>>> channel did not succeed).
>>>> ############################################################
>>>> ##############
>>>>
>>>>
>>>> I am beginning to believe that I am close to solving the issue (of
>>>> course all credit to tremendous help from this list).
>>>> I will be grateful for the last bit of help being received by the
>>>> really helpful experts here..
>>>>
>>>> Sorry again for the noise in my previous email.
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Ajay
>>>> _______________________________________________
>>>> nginx mailing list
>>>> nginx@nginx.org
>>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>>
>>>
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>>
>> --
>> Regards,
>> Ajay
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>



--
Regards,
Ajay
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login