nhcarrigan/nginx-configs
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 1 Pull Requests Actions Releases Activity

fix: resolve CORS header suppression on cdn.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 5s
Details
Test nginx configuration / nginx Syntax Check (push) Failing after 16s
Details
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m38s
Details

Browse Source 
Restructures the location block to avoid the nginx "if is evil" pattern
where add_header directives inside an if block suppress those in the
parent location context. Also adds Access-Control-Max-Age and removes
POST from allowed methods since the CDN serves static assets only.
This commit is contained in:
Hikari
2026-04-20 18:32:45 -07:00
committed by Naomi Carrigan
parent f6c4e2dac7
commit fb6080ae87
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nginx/nginx/sites-available/cdn.conf
+13 -12
View File
@@ -18,7 +18,18 @@ server {
return 301 $scheme://$host/avatars/$1;
}
# Handle CORS preflight requests without the "if is evil" pattern.
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Max-Age 86400 always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
@@ -32,22 +43,12 @@ server {
proxy_set_header x-amz-date "";
proxy_set_header x-amz-security-token "";
add_header X-Debug-Cdn "Proxy-Active" always;
proxy_hide_header Access-Control-Allow-Origin;
add_header X-Debug-Cdn "Proxy-Active" always;
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}