NGINX add_header, adding multiple headers

Solution 1:

Well, yes, nginx is combining the identically named headers.. but it's doing so in accordance with the HTTP spec. See section 4.2.

The header:

Access-Control-Allow-Origin: http://dev.anuary.com, https://dev.anuary.com

Is, according to the HTTP/1.1 spec, functionally equivalent to:

Access-Control-Allow-Origin: http://dev.anuary.com
Access-Control-Allow-Origin: https://dev.anuary.com

If you have a system or application that is capable of reading one format and not the other, then it's the problem. nginx is doing it right.


EDIT:

The Mozilla documentation states that there can only be one Access-Control-Allow-Origin header.

The formatting of it (see here) should be a space-delimited list of origins:

add_header Access-Control-Allow-Origin "http://dev.anuary.com https://dev.anuary.com";

But really, you're supposed to be echoing the Origin header supplied by the client instead of generating one out of the blue. This is probably more appropriate:

if ($http_origin ~* "^https?://dev\.anuary\.com$" ) {
    add_header Access-Control-Allow-Origin $http_origin;
}

Solution 2:

Check out this post for configuring your nginx CORS with dynamic domains: https://qa.lsproc.com/post/access-control-allow-origin-multiple-origin-domains