Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

IT_man

以下是gist.github.com支援reverse proxied APIs的範例:


$ {( ~" T  u5 X# d/ t. s

# CORS header support
' N% C9 M' E" E3 y7 r4 X( y9 u: o#
# y. O& X2 |! y  o6 v  ^/ E, T# One way to use this is by placing it into a file called "cors_support"
3 @% Y# F  n) X9 `. k# under your Nginx configuration directory and placing the following
# statement inside your **location** block(s):
#
( J" q; c1 {( Z6 m* O6 r#   include cors_support;
4 y% D' {3 D" i$ i8 ~" h4 D#
# As of Nginx 1.7.5, add_header supports an "always" parameter which
# allows CORS to work if the backend returns 4xx or 5xx status code.
0 @6 s: R# I( d# s, `6 k+ R, F2 d. \#
8 r* f* F4 a* s# For more information on CORS, please see: http://enable-cors.org/
: w9 L% s4 A/ ~2 a8 {- F! \# Forked from this Gist: https://gist.github.com/michiel/1064640
#

$ ?0 ~7 ]# o8 d4 k4 f* Qset $cors '';
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
        set $cors 'true';
0 W& S8 q/ T7 n+ Q& m2 U; m( P9 n}
( m! r2 K! Q8 s$ {0 q
1 b. a+ q- u: V; m) xif ($cors = 'true') {
2 P% r2 p. b) ^3 B8 }. }        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
6 ~1 K# U% H9 E7 c5 m; y& v        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
& w0 ~; z) r1 r        # required to be able to read Authorization header in frontend
( {4 O; \3 I+ y; h; C$ v% Z1 Z& e( p  a        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
6 P% N0 h- a) X" a8 V* p" k# U4 [}

if ($request_method = 'OPTIONS') {
        # Tell client that this pre-flight info is valid for 20 days
  j  w# C7 V4 z6 A4 H  q        add_header 'Access-Control-Max-Age' 1728000;
7 X! F! G4 g2 B" u& k1 n        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
: t7 Q8 D4 Q; N* _9 U        return 204;
}

https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:

if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {     return 444;
8 r: `, x3 e, w0 `. X}
set $origin $http_origin;
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
8 m: o& Y; k2 i* m     set $origin 'https://default.yourdom.zone';
}
" ?4 v0 o+ K' d- b+ ?  ^if ($request_method = 'OPTIONS') {
! B: t* q* S1 l8 M5 Z  a/ p) Z     add_header 'Access-Control-Allow-Origin' "$origin" always;
- D8 M3 v" i! O7 c3 j7 |! P) U     add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
! i6 H& p1 [; [* n3 U6 S5 ?& m     add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header Access-Control-Max-Age 1728000;   #20 days   
8 J0 h9 d3 j! _( K* }* p" x/ f     add_header Content-Type 'text/plain charset=UTF-8';
3 Q, O! G8 k$ g# y- Y2 R% B     add_header Content-Length 0;
( K3 ~+ X# n7 z$ @9 i6 D     return 204;
. A$ e( o/ g3 b0 f}
8 l$ \7 J* s, Wif ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
     add_header Access-Control-Allow-Origin "$origin" always;
% v% v: l5 n. ?7 a( D" Y     add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
     add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
9 a1 c$ N5 \$ @- S. i4 s5 u     add_header Access-Control-Allow-Credentials true always;
2 M1 l' f5 S) m- ]0 [* Z}

Access-Control-Allow-Origin Multiple Origin Domains? 的例子:

# based on https://gist.github.com/4165271/
  _  {+ W9 g. _2 R- V#
' o8 g4 q' u4 q6 R# Slightly tighter CORS config for nginx
' l' Z8 M, i' o6 f# h1 }#
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
#
# Despite the W3C guidance suggesting that a list of origins can be passed as part of
( r3 w4 g0 r$ e: W& ~: {! L0 X: \# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
# don't seem to play nicely with this.
6 ~+ _! R. A0 M3 s/ J( g* f#
! E1 |3 z7 }" n% D; d2 k, K3 S' y# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
: F# x/ `( N( l' _# method to control access instead.
( p# p+ B5 [9 l( f+ B. K#
/ l: e* `/ a' ]* v* j# NB: This relies on the use of the 'Origin' HTTP Header.

location / {

    if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
        set $cors "true";
    }

1 w; W9 j& B4 s, y    # Nginx doesn't support nested If statements. This is where things get slightly nasty.
5 c$ [8 O  f8 E& c. o  k    # Determine the HTTP request method used
4 L  a+ |- m8 Q8 H6 `$ t# W    if ($request_method = 'OPTIONS') {
2 n9 t- @) c' t" |        set $cors "${cors}options";
8 r+ G( H' q8 z1 s6 L& t    }
$ p: o3 q" }+ q; b6 E    if ($request_method = 'GET') {
( g: Y4 @9 U1 E- N$ `4 }        set $cors "${cors}get";
    }
    if ($request_method = 'POST') {
        set $cors "${cors}post";
3 ~" Q1 x5 z$ {* g; C    }

( `2 H- b- h% S  x; T    if ($cors = "true") {
        # Catch all incase there's a request method we're not dealing with properly
4 T$ U" ]# [" _$ b8 D$ z        add_header 'Access-Control-Allow-Origin' "$http_origin";
+ M( t$ a6 e: g- T0 g* b    }
3 e" v/ v: y9 U: O3 Y7 \
    if ($cors = "trueget") {
3 Z' K; X& E( v+ z5 T        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
. [& b7 c6 u* k+ _        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
2 D- z; i, S8 G        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
! \3 w4 j6 ^* A    }
4 s9 v' _7 k- \6 I! B! w
/ l" W2 I% j; e: H! r    if ($cors = "trueoptions") {
2 k. j9 t: \' p6 h; J6 [" F: f2 `/ |# m: R        add_header 'Access-Control-Allow-Origin' "$http_origin";
5 p% {: R8 e" T0 c  i& T% b
        #
        # Om nom nom cookies
1 Y8 L$ h6 w# w6 I+ L1 Y$ @  }        #
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

- W" j+ ~' U$ x6 }        #
" I: X3 H# G" ?2 ^8 U; H4 n. s        # Custom headers and headers various browsers *should* be OK with but aren't
0 K/ O  M( c2 h7 s) M/ i        #
6 r5 t+ V$ P2 W7 n0 y2 N        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

% n3 m7 s& ?. q" v' |4 v        #
- C' N* _) t: q9 [        # Tell client that this pre-flight info is valid for 20 days
7 K2 r+ h& N0 k8 x6 I! A- e2 V  Y        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
" E/ S) S7 t' n* ^        add_header 'Content-Length' 0;
  W2 p' }9 R# j: o        return 204;
    }

    if ($cors = "truepost") {
" t0 W: n8 ^) ?5 b- k9 d4 B        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
+ j8 @- E4 K# v' w7 s& }8 y        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }
2 Y1 z# O& D& `6 p8 R0 E% M% f
}