nginx跨域问题记录
现象:
访问 toolbox.chinasoft.com 提示如下:
Access to Font at 'https://images.chinasoft.com/static-toolbox/style/fonts/global_iconfont.woff?iv41ks' from origin 'https://toolbox.chinasoft.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin 'https://toolbox.chinasoft.com' is therefore not allowed access.
解决:
1.在toolbox.chinasoft.com.conf中添加跨域的配置,问题依旧
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type,*';
2.多次配置无效,于是在images.chinasoft.com中也配置可以跨域,问题解决
跨域配置示例
1.写法1 map $http_origin $corsHost { default "none" ; "~https://mockitt.chinasoft.com" https://mockitt.chinasoft.com ; } set $cors_origin ""; if ($http_origin ~* "^https://www.chinasoft.cn$") { set $cors_origin $http_origin; } add_header Access-Control-Allow-Origin $cors_origin; if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $cors_origin; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; return 204; }
2.写法2
#跨域配置
set $allow_headers 'Content-Type,X-Requested-With,Origin,Authorization,Keep-Alive,User-Agent,Cache-Control,X-Plugin-Id,X-Activity-Id,X-Csrf-Token'; set $allow_methods 'POST,GET,PATCH,OPTIONS,PUT'; if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $http_origin; add_header Access-Control-Allow-Methods $allow_methods always; add_header Access-Control-Allow-Headers $allow_headers always; add_header 'Access-Control-Allow-Credentials' 'true' always; return 204; } # 单个域名的配置 if ($http_origin ~* (https?://[^/]*\.chinasoft\.com)) { # 多个域名的配置 # if ($http_origin ~* "^http(s?)://(.*).(chinaosft|baidu|alibaba).(.*)$") { add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Headers' $allow_headers always; add_header 'Access-Control-Allow-Methods' $allow_methods always; add_header 'Access-Control-Allow-Credentials' 'true' always; }
#跨域配置
location /api { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_pass http://mkweb_servers; set $cors_origin ""; if ($http_origin ~* "^http(s?)://(.*).(chinaosft|baidu|alibaba).(.*)$") { set $cors_origin $http_origin; } add_header Access-Control-Allow-Origin $cors_origin; add_header 'Access-Control-Allow-Credentials' 'true' always; #add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS, POST, PUT, PATCH' always; add_header 'Access-Control-Allow-Methods' '*'; add_header 'Access-Control-Allow-Headers' '*'; expires -1; }
示例
location ~ /(convert) { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_pass http://convert_servers; #跨域配置 set $allow_headers 'Content-Type,X-Requested-With,Origin,Authorization,Keep-Alive,User-Agent,Cache-Control,X-Plugin-Id,X-Activity-Id,X-Csrf-Token'; set $allow_methods 'POST,GET,PATCH,OPTIONS,PUT'; if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin $http_origin; add_header Access-Control-Allow-Methods $allow_methods always; add_header Access-Control-Allow-Headers $allow_headers always; add_header 'Access-Control-Allow-Credentials' 'true' always; return 204; } if ($http_origin ~* (https?://[^/]*\.chinasoft\.cn)) { add_header 'Access-Control-Allow-Origin' $http_origin always; add_header 'Access-Control-Allow-Headers' $allow_headers always; add_header 'Access-Control-Allow-Methods' $allow_methods always; add_header 'Access-Control-Allow-Credentials' 'true' always; } expires -1; }
# 设置跨域
map $http_origin $corsHost {
default "none" ;
"~https://pixconv.chinasoft.cn" https://pixconv.chinasoft.cn;
"~https://pix.chinasoft.cn" https://pix.chinasoft.cn;
"~https://pix.design" https://pix.design;
}
add_header Access-Control-Allow-Origin $corsHost;
# 如果nginx和服务端代码都加了跨域,就会报错如下,删除服务端或者代码里面的跨域保留其中一个即可
origin 'https://pix.chinasoft.cn' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://pix.chinasoft.cn, https://pix.chinasoft.cn', but only one is allowed.
