nginx Access Control Origin Header is configured but doesn't work

nginx cors

Solution 1:

There are no proxied requests

Of this block:

location /ads {
    proxy_set_header 'Access-Control-Max-Age' 1728000;
    proxy_set_header 'Access-Control-Allow-Origin' '*';
    proxy_set_header 'Access-Control-Allow-Credentials' 'true';
    proxy_set_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    proxy_set_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
  try_files $uri $uri/ /index.php?$args;
}

The only directive that is doing anything is try_files - because there is no proxied request issued. proxy_pass_header only makes sense if proxy_pass is also used; but it would send the headers to the proxied server, not the client so is irrelevant for CORS.

Use add_header

The directive you're looking for is add_header - a valid example would be:

location /ads {
    add_header "Access-Control-Allow-Origin" "*";
    ...
    try_files $uri $uri/ /index.php?$args;
}

This adds the header to the response sent back to the client (browser).

Related

Completely getting rid of SSLv3 on Apache
Checking puppet-generated exim config before deploying
Grouping nodes in puppet
Can I use TLSv1.0 for one client IP, TLS v1.2 for everyone else
Where do md array definitions come from?
Multiple wildcard certificates for same common name on different servers
Why is the cron ENV different from the user's ENV?
Google Chrome says my SSL uses outdated security settings but other site tests disagree [closed]
Server2k8: Prevent membership in a group based on membership in another group
Squid3 'The proxy server is refusing connections'
Enforce 15-character minimum password length on Windows
How configure environment variable with AcceptEnv