Credentials CORS fixes

Finally figured out where I misunderstood nginx LEARNER-568

Credentials CORS fixes
Finally figured out where I misunderstood nginx LEARNER-568
e608ac21 · Clinton Blackburn · Clinton Blackburn · 9274647e · e608ac21
Commit e608ac21 authored Apr 14, 2017 by Clinton Blackburn Committed by Clinton Blackburn Apr 14, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 17 deletions

playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
+24 -17

No files found.
--- a/playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
+++ b/playbooks/roles/credentials/templates/edx/app/nginx/sites-available/credentials.j2
@@ -15,16 +15,6 @@ upstream credentials_app_server {
 {% endfor %}
 }

-map $http_host $DO_CORS {
-  hostnames;
-
-  default 'false';
-
-{% for host in CREDENTIALS_CORS_ORIGIN_WHITELIST %}
-  {{ host }} 'true';
-{% endfor %}
-}
-
 server {
  server_name {{ CREDENTIALS_HOSTNAME }};

@@ -48,17 +38,34 @@ server {
  }

  location ~ ^{{ CREDENTIALS_STATIC_URL }}(?P<file>.*) {
-    if ($DO_CORS = 'true') {
-      add_header 'Access-Control-Allow-Origin' "$http_origin" always;
-      add_header 'Access-Control-Allow-Methods' 'GET';
-      add_header 'Access-Control-Allow-Credentials' 'true' always;
-      add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+    # Determine if we want to send the CORS headers
+    if ($http_origin ~ '^https?://({{ CREDENTIALS_CORS_ORIGIN_WHITELIST|join('|')|replace('.', '\.') }})/') {
+      set $cors 'true';
    }

+    # All headers need to be set in one block. We cannot, for example, set default headers here and add more
+    # in an if statement. Thus, we have duplicate add_header directives in multiple if blocks.
+    # Adapted from http://stackoverflow.com/questions/27955233/nginx-config-for-cors-add-header-directive-is-not-allowed.
    if ($request_method = 'OPTIONS') {
-      add_header 'Access-Control-Max-Age' 1728000;
-      add_header 'Content-Type' 'text/plain charset=UTF-8';
+      set $cors "${cors}options";
+    }
+
+    if ($request_method = 'GET') {
+      set $cors "${cors}get";
+    }
+
+    if ($cors = "trueget") {
+      add_header 'Access-Control-Allow-Origin' "$http_origin";
+      add_header 'Access-Control-Allow-Credentials' 'true';
+    }
+
+    if ($cors = "trueoptions") {
+      add_header 'Access-Control-Allow-Origin' "$http_origin";
+      add_header 'Access-Control-Allow-Credentials' 'true';
+      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+      add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
      add_header 'Content-Length' 0;
+      add_header 'Content-Type' 'text/plain charset=UTF-8';
      return 204;
    }