我在 Jelastic 服务器前面添加了一个流量分配器 (nginx),该服务器之前运行时没有任何问题。
GET 请求和登录 POST 工作正常,但一旦登录,POST 和 PUT 请求就会失败,并出现已知的 CORS 错误(这些是针对实际请求的,预检工作正常):
Access to XMLHttpRequest at '' from origin 'xyz' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
响应标头为(错误代码为 500):
Content-Length:
383
Content-Type:
text/html
Date:
Thu, 20 Jul 2023 11:46:56 GMT
Etag:
"6194d09a-17f"
Server:
nginx
Firefox 也出现同样的错误,也在另一台运行 Linux 的机器上进行了测试。
奇怪的是它可以在 Safari 浏览器上运行。如果我从那里执行相同的 POST / PUT 请求,我会得到这些响应标头:
:status: 201
Access-Control-Allow-Origin: *
Alt-Svc: h3=":443"; ma=86400
Content-Length: 956
Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Cross-Origin-Opener-Policy: same-origin
Date: Thu, 20 Jul 2023 11:12:56 GMT
ETag: W/"3bc-A0RyA0BcEO6RQG+lbMpZAiISc0Y"
origin-agent-cluster: ?1
Referrer-Policy: no-referrer
Server: nginx
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
x-download-options: noopen
X-Frame-Options: SAMEORIGIN
x-permitted-cross-domain-policies: none
X-XSS-Protection: 0
来自 Brave/Chrome 的 CURL 请求:
curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
-X 'PUT' \
-H 'authority: dev-backend.xyz.app' \
-H 'accept: application/json, text/plain, */*' \
-H 'accept-language: en-GB,en;q=0.9' \
-H 'authorization: Bearer abcdef' \
-H 'content-type: application/json' \
-H 'origin: https://dev.xyz.app' \
-H 'referer: https://dev.xyz.app/' \
-H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Brave";v="114"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-site' \
-H 'sec-gpc: 1' \
-H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
--data-raw '{jsondata}"
来自 Safari 的 CURL 请求:
curl 'https://dev-backend.xyz.app/api/collections/722/collectibles/4708' \
-X 'PUT' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Authorization: Bearer abcdef' \
-H 'Sec-Fetch-Site: same-site' \
-H 'Accept-Language: en-GB,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: dev-backend.xyz.app' \
-H 'Origin: https://dev.xyz.app' \
-H 'Content-Length: 944' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5.1 Safari/605.1.15' \
-H 'Referer: https://dev.xyz.app/' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
--data-binary '{jsondata}'
当前 NGINX 配置:
location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept';
add_header 'Access-Control-Max-Age' 86400;
return 204;
}
add_header 'Access-Control-Allow-Origin' $http_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Range, Authorization, Content-Type, x-session-token';
add_header 'Access-Control-Max-Age' 3600;
proxy_pass http://common;
}
如有任何帮助,我们将不胜感激。
我尝试了各种 nginx 配置更改,到目前为止没有任何效果。
除了 * 之外,还使用“始终”来表示访问控制允许来源。因为有时您使用的框架可能无法正确处理飞行前请求并且没有返回正确的响应,在这种情况下就会出现此问题。
检查:https://nginx.org/en/docs/http/ngx_http_headers_module.html
了解如何使用“始终”。