cors:跨源时严格源:反应 + nginx +弹性搜索
今天下午我对我的反应应用程序做了一些小调整。但是,当尝试从我的 Elasticsearch 服务器获取信息时,我收到了跨域时严格源错误。我过去收到过 CORS 错误,并且总是能够以某种方式处理它们,但这次我陷入了困境。
我的设置:
我有 React 应用程序,使用 axios,发出以下 get 请求:
const authorization = process.env.REACT_APP_ELASTICSEARCH_AUTHORIZATION;
const header = {
'Authorization': authorization,
}
axios.get(`${path}/${searchIndex}/_search`,
{headers: header}
然后将该请求发送到运行 nginx 的代理服务器。
设置如下:
location /somelocation/ {
proxy_pass https://someip:someport/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass_header Access-Control-Allow-Origin;
proxy_pass_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
add_header Access-Control-Allow-Credentials true;
proxy_pass_header Authorization;
}
在elasticsearch服务器上,我有以下CORS设置:
http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-origin: '*'
http.cors.allow-headers: X-Requested-With, X-Auth-Token, Content-Type, Content-Length, Authorization, Access-Control-Allow-Headers, Accept
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
使用react应用程序正在使用的路径发出请求,来自邮递员工作得很好。在传递必要的用户名+密码后,我还可以从浏览器执行请求。只有反应应用程序(在本地主机上运行的开发中)似乎不起作用。
来自 https://developer.mozilla.org/en-US /docs/Web/HTTP/CORS/Errors 我理解:
跨源时严格源(默认)
执行同源请求时发送源、路径和查询字符串。对于跨源请求(仅)当协议安全级别保持相同(HTTPS→HTTPS)时才发送源。不要将 Referer 标头发送到安全性较低的目的地 (HTTPS→HTTP)。
我认为问题可能在于应用程序在 HTTP 而不是 HTTPS 上运行,但通过“HTTPS=true npm start”运行应用程序并没有解决问题。我尝试了不同的调整,无论是在请求端(axios)还是在 nginx 或 es yml 文件中,但似乎都不起作用。感谢您的帮助并致以诚挚的问候。
编辑:
现在也包含屏幕截图:
This afternoon I was make some small adaptations to my react app. However, when trying to fetch information from my elasticsearch server, I receive a strict-origin-when-cross-origin error. I have received CORS errors in the past and was always able to deal with them in a certain way, but this time I am quit stuck.
My set up:
I have the react app, using axios, making the following get request:
const authorization = process.env.REACT_APP_ELASTICSEARCH_AUTHORIZATION;
const header = {
'Authorization': authorization,
}
axios.get(`${path}/${searchIndex}/_search`,
{headers: header}
The request is then send to my proxy server running nginx.
The setting there are the following:
location /somelocation/ {
proxy_pass https://someip:someport/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass_header Access-Control-Allow-Origin;
proxy_pass_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type';
add_header Access-Control-Allow-Credentials true;
proxy_pass_header Authorization;
}
On the elasticsearch server I have the following CORS settings:
http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-origin: '*'
http.cors.allow-headers: X-Requested-With, X-Auth-Token, Content-Type, Content-Length, Authorization, Access-Control-Allow-Headers, Accept
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
Making requests, using the path that the react app is using, from postman works perfectly fine. I can also perform the request from my browser, after passing the necessary username + password. Only the react app (in development running on localhost) does not seem to work.
From https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors I understand:
strict-origin-when-cross-origin (default)
Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
I thought that maybe the problem was situated with the fact that the app runs on HTTP and not HTTPS, but running the app via 'HTTPS=true npm start' did not solve the problem. I have tried different tweaks, both on the request side (axios) as in nginx or in the es yml file, but nothing seems to work. Thank you and kind regards for your help.
EDIT:
included screenshots now as well:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好吧,我今天下午就解决了这个错误。首先,并非所有错误消息都显示在我的控制台中,这使得检测错误变得更加困难。正如上面正确指出的,我看到的错误消息只是一条通用消息。在我的控制台中,我需要将设置更新为以下内容:
之后,可以看到完整的 CORS 错误,这需要我对 NGINX 代理服务器和 elasticsearch 服务器进行一些更改。
第一个错误是:“预检响应中的 Access-Control-Allow-Headers 不允许标头字段授权”
虽然 elasticsearch 服务器允许授权标头,但这是 - 如果我错了,请纠正我 - 没有由 NGINX 正确传递代理服务器,因为设置为:“proxy_hide_header Access-Control-Allow-Headers;”
我将 NGINX 设置更改为:
注释掉的行是旧配置。
尝试几个新请求,显示了其他 CORS 策略,例如 Access-control-Allow-Headers 不允许 access-control-allow-methods、Access-Control-Allow- 不允许 access-control-allow-origin headers,...此时错误清楚地表明了要做什么,即将这些字段添加到elasticsearch配置文件中的Access-Control-Allow-Headers部分。
完成所有操作后,elasticsearch config yml 文件如下所示:
所以我添加了:Access-Control-Allow-Methods、Access-Control-Allow-Origin、Access-Control-Allow-Credentials。
感谢大家帮助我,我发布这个答案,以便将来可以使用。欢迎进一步纠正我。
Ok I was able to solve the error in the course of this afternoon. First of all, not all the error messages were showing in my console, which made it fo course more difficult to detect the error. As pointed out correctly above, the error message I was seeing, was just a generic message. In my console I needed to update the settings to the following:
After that the complete CORS errors were visible, which required me to make some changes, both to the NGINX proxy server and the elasticsearch server.
The first error was: "header field authorization is not allowed by Access-Control-Allow-Headers in preflight response"
Although the elasticsearch server allowed the Authorization header, this was -correct me if I am wrong- not properly passed on by the NGINX proxy server, since the settings there were: "proxy_hide_header Access-Control-Allow-Headers;"
I changed the NGINX settings to:
The lines that are commented out are the old configurations.
Attempting a several new requests, other CORS policies were shown, such as access-control-allow-methods is not allowed by Access-control-Allow-Headers, access-control-allow-origin is not allowed by Access-Control-Allow-Headers,... At that point the errors were clearly indicating what to do, namely adding these fields to the Access-Control-Allow-Headers section in the elasticsearch configuration file.
After completing everything, the elasticsearch config yml file looks like this:
So I added: Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Allow-Credentials.
Thanks everyone for helping me out, I post this answer so it might be used for future purposes. Feel free to further correct me.
将这两行添加到以下文件中
并重新启动 nginx 服务器
Add both lines to the below file
and restart nginx server