CORS允许原点不匹配通过nginx匹配原点错误
我在一个域上有一个应用程序,可以通过浏览器进行API调用与另一个应用程序进行对话。它在DevTools日志中的错误
CORS允许Origin不匹配Origin
它所采用的路由是通过3个服务器击中AKS中托管的应用程序之前的3个服务器。 首先,它击中了Nginx TLS服务器,在这里,我已经启用了类似的CORS
add_header 'Access-Control-Allow-Origin' 'https://mysite.domain';
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, PUT, DELETE";
add_header "Access-Control-Allow-Headers" "Authorization, Content-Type";
,下一个位置块下方,它被转发到NGINX反向代理服务器上,该
服务器在接下来的位置块下定义了相同的配置。 aks命令的虚拟服务具有以下CORS配置,
- corsPolicy:
allowCredentials: true
allowHeaders:
- authorization
- content-type
allowMethods:
- GET
- POST
- OPTIONS
- PUT
- DELETE
allowOrigins:
- exact: '*'
如果我绕过我的NGINX服务器,那么我没有任何问题,但是当我通过Nginx服务器靶向服务时,我会遇到上述CORS错误。查看DevTool日志和详细的故障,这是没有意义的,因为我可以看到所有三个啤酒花的CORS策略都是相同的,并且所有这些啤酒花都相同,并且它们都相同在同一请求中。
我尝试了许多组合,包括允许所有允许在nginx服务器上,例如
add_header“ access-control-allow-origin''*'''*';
,并且我也尝试将其锁定在虚拟服务中的URL中K8,但这也没有起作用
I have one application on one domain that talks to another application through browser making API calls. Its getting below error in the devtools logs
CORS Allow Origin Not Matching Origin
The route it takes is through 3 servers before it hits the application which is hosted in AKS.
First it hits an nginx TLS server and here I have enabled CORS like so underneath the location block
add_header 'Access-Control-Allow-Origin' 'https://mysite.domain';
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, PUT, DELETE";
add_header "Access-Control-Allow-Headers" "Authorization, Content-Type";
Next it gets forwarded on to an nginx reverse proxy server which has the same config defined under the location block
Next it hits the service mesh (istio) in AKS where the virtual service it hits has the below configuration for CORS
- corsPolicy:
allowCredentials: true
allowHeaders:
- authorization
- content-type
allowMethods:
- GET
- POST
- OPTIONS
- PUT
- DELETE
allowOrigins:
- exact: '*'
If I bypass my nginx servers then I dont have any issue but when I target the service through the nginx servers I get the above CORS error. Looking at the devtool logs and the failure in detail it makes no sense as I can see the CORS policy of all three hops is identical and the access-control-allow-origin is the same for all of them and it exactly matches the Origin field in the same request.
I have tried many combinations including allowing ALL on the nginx servers like below
add_header 'Access-Control-Allow-Origin' '*';
And I also tried locking it down to the URL on the virtual service in K8S but that didnt work either
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论