Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

IT_man

以下是gist.github.com支援reverse proxied APIs的範例:

* f) i8 A* Z( [0 x+ u$ n4 a1 d
9 X$ k6 m2 G; _" X

# CORS header support
#
2 U- o6 S  D# C# One way to use this is by placing it into a file called "cors_support"
# under your Nginx configuration directory and placing the following
# statement inside your **location** block(s):
#
#   include cors_support;
* X. ]4 d" b6 [#
1 \. R3 T) Y8 J5 V! ~7 O4 M# As of Nginx 1.7.5, add_header supports an "always" parameter which
( W/ H# }6 N8 G: c% f3 |. o# allows CORS to work if the backend returns 4xx or 5xx status code.
#
# For more information on CORS, please see: http://enable-cors.org/
# Forked from this Gist: https://gist.github.com/michiel/1064640
& S. I9 d5 X; `8 `7 ?1 h#

& w" f/ n: N6 h8 h4 \set $cors '';
if ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
% i( W- [' s' O9 b( U        set $cors 'true';
}
' h7 Q) E8 P9 W7 w6 b: z3 r
: c6 s7 C2 o3 r& e- y1 kif ($cors = 'true') {
: t. @, E" N# H( y5 e        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
. o  U& j. k8 c7 x8 k5 ?0 {& L5 P" k8 X7 a        add_header 'Access-Control-Allow-Credentials' 'true' always;
3 [9 q! @" T$ G4 ?$ u1 Y* p# g6 `: c        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
) ~9 S, m. }& I        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
6 q0 ]. S" g8 s2 {/ i! m        # required to be able to read Authorization header in frontend
( E9 _* M" i: j/ z0 R$ S        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
! e3 e& v6 Y: ^  g0 c& L# o}

if ($request_method = 'OPTIONS') {
- f) B4 k' u6 d; g% |        # Tell client that this pre-flight info is valid for 20 days
1 T* ?1 H  X* }/ \3 S        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
/ ?' B. ~- H2 \. C3 |$ _1 f        add_header 'Content-Length' 0;
        return 204;
}

https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:
, h, G$ [3 m( h

if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {     return 444;
5 O7 v! @) `: |4 ?. Q, `}
set $origin $http_origin;
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
% c# n. p' w# m1 o     set $origin 'https://default.yourdom.zone';
: E& K3 }+ T: }4 w+ ^' h}
if ($request_method = 'OPTIONS') {
: s* K+ p% f% `3 h& X% V     add_header 'Access-Control-Allow-Origin' "$origin" always;
3 O  l  T" W6 W2 T     add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
     add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
1 c: Y0 s2 @# a  E. Y$ Q     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header Access-Control-Max-Age 1728000;   #20 days   
: `6 v5 J9 D- Z, I$ V# ]8 r     add_header Content-Type 'text/plain charset=UTF-8';
' j1 Y  E; ~; _; S4 w: G     add_header Content-Length 0;
; G: f6 i9 b6 T, I! f     return 204;
4 Z$ q9 M9 A2 T2 M" c, w}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
     add_header Access-Control-Allow-Origin "$origin" always;
     add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
. ?0 K$ x2 v! B' b9 U1 k     add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
     add_header Access-Control-Allow-Credentials true always;
}

Access-Control-Allow-Origin Multiple Origin Domains? 的例子:

# based on https://gist.github.com/4165271/
4 W5 }/ e- ^' s$ Q# z#
: w) U- u6 L1 S1 H# Slightly tighter CORS config for nginx
% q3 w! u% M9 _/ r, C9 q8 Z#
0 ?/ C6 U9 S$ |/ Q# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
1 s# j# \7 l5 Q4 x: R. Z: B" J6 ~#
# Despite the W3C guidance suggesting that a list of origins can be passed as part of
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
# don't seem to play nicely with this.
#
# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
# method to control access instead.
#
+ b" y& h2 o4 d2 [2 g# NB: This relies on the use of the 'Origin' HTTP Header.

location / {

) T6 R0 g$ I. k& N2 K    if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
$ \/ C( k7 v9 L. R1 x! k# K( Y        set $cors "true";
! U$ f4 r9 v  X    }
5 A2 T) C4 l4 G" ?
    # Nginx doesn't support nested If statements. This is where things get slightly nasty.
7 B  K5 u# c# `; C% P0 D    # Determine the HTTP request method used
1 S* Y. ^& Q" Q( _; `" X    if ($request_method = 'OPTIONS') {
        set $cors "${cors}options";
6 j, Z. V2 {: q" k/ i0 @( w/ U+ ~; M    }
    if ($request_method = 'GET') {
% }$ }$ L" q0 {  @/ V        set $cors "${cors}get";
    }
9 Q2 O# B* U+ T' e2 }    if ($request_method = 'POST') {
+ g& n8 x# l5 H2 X6 \7 v        set $cors "${cors}post";
    }
' Q5 S$ M& S  H9 C8 a; d* o
  U0 P7 i3 y+ z' W    if ($cors = "true") {
- ^7 h9 ?7 g6 N. S( ^        # Catch all incase there's a request method we're not dealing with properly
6 k' w8 @+ t0 n  L; E" `        add_header 'Access-Control-Allow-Origin' "$http_origin";
    }
4 G' C$ F+ Q) q
    if ($cors = "trueget") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
* J) |  O( i2 p        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
0 d: u5 Q. q# G1 f6 s        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
) m) E$ h8 E1 I7 n) R( N    }

4 [* n8 G3 B' B6 t' W6 [; z8 j0 r8 [    if ($cors = "trueoptions") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";

% m- j' K5 b9 g) `/ t3 ?        #
1 ?: O* t: V, x  c- E; L4 m        # Om nom nom cookies
* s$ O: @8 F/ s8 u% d1 d        #
: z# U8 N* G& T/ @8 G- X        add_header 'Access-Control-Allow-Credentials' 'true';
0 u9 X! g  p) b+ w. g/ S% K        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
! D# Q4 S: T- R% F7 G: _
) d/ r0 t& x6 }: F' J* I3 Q* V        #
; }) ~" q' t/ ~        # Custom headers and headers various browsers *should* be OK with but aren't
* b( V# k8 n: L: R, Q        #
, l1 G4 D: N: B5 p, V0 M3 n4 f3 Q2 [        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
+ h% t6 k2 C; i( p+ I, c        return 204;
* R( ?) z) u1 v$ u5 @, E, e    }
2 S: V+ A6 B$ g0 f
5 @# [$ `! \2 Y6 B" L    if ($cors = "truepost") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
* S% P% u" \5 B- r6 W& O        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
8 }# p" D% A2 P0 g, k        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }

9 a  Y" w+ m5 n}