From fb6080ae87da694a55cc031a6349cf8bf791f40b Mon Sep 17 00:00:00 2001
From: Hikari <hikari@nhcarrigan.com>
Date: Mon, 20 Apr 2026 18:32:45 -0700
Subject: [PATCH] fix: resolve CORS header suppression on cdn.nhcarrigan.com

Restructures the location block to avoid the nginx "if is evil" pattern
where add_header directives inside an if block suppress those in the
parent location context. Also adds Access-Control-Max-Age and removes
POST from allowed methods since the CDN serves static assets only.
---
 nginx/nginx/sites-available/cdn.conf | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/nginx/nginx/sites-available/cdn.conf b/nginx/nginx/sites-available/cdn.conf
index 718c06a..4cf6e5c 100644
--- a/nginx/nginx/sites-available/cdn.conf
+++ b/nginx/nginx/sites-available/cdn.conf
@@ -18,7 +18,18 @@ server {
         return 301 $scheme://$host/avatars/$1;
     }
 
+    # Handle CORS preflight requests without the "if is evil" pattern.
     location / {
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin "*" always;
+            add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
+            add_header Access-Control-Max-Age 86400 always;
+            add_header Content-Type "text/plain; charset=utf-8";
+            add_header Content-Length 0;
+            return 204;
+        }
+
         proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
         proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
 
@@ -32,22 +43,12 @@ server {
         proxy_set_header x-amz-date "";
         proxy_set_header x-amz-security-token "";
 
-        add_header X-Debug-Cdn "Proxy-Active" always;
-
         proxy_hide_header Access-Control-Allow-Origin;
 
+        add_header X-Debug-Cdn "Proxy-Active" always;
         add_header Access-Control-Allow-Origin "*" always;
-        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+        add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
         add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
-
-        if ($request_method = 'OPTIONS') {
-            add_header Access-Control-Allow-Origin "*" always;
-            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
-            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
-            add_header Content-Type "text/plain; charset=utf-8";
-            add_header Content-Length 0;
-            return 204;
-        }
     }
   include /etc/nginx/snippets/deny-dotfiles.conf;
 }