Disable authentication for HTTP OPTIONS method (preflight request) in Nginx

nginx cors

My problem is the exact same one as described here: Disable authentication for HTTP OPTIONS method (preflight request). I'm trying to use CORS and HTTP passwords at the same time. When the browser see an bounced OPTIONS (status code 401), for some reason it'll immediate check for the CORS headers (which will be absent) and reject the request.

Here's my config:

location /api/ {
    proxy_pass http://127.0.0.1:14000;
    proxy_set_header Host $host;
    add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
    add_header Access-Control-Allow-Origin $http_origin;
    add_header Access-Control-Allow-Headers "Authorization, Content-Type";
    add_header Access-Control-Allow-Credentials true;
    auth_basic            "Restricted Area";
    auth_basic_user_file  /var/www/admin.htpasswd;
}

Here's the solution I came up with. It insolves duplicating all the CORS add_header directives though. 

location /api/ {
    proxy_pass http://127.0.0.1:14000;
    proxy_set_header Host $host;
    add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
    add_header Access-Control-Allow-Origin $http_origin;
    add_header Access-Control-Allow-Headers "Authorization, Content-Type";
    add_header Access-Control-Allow-Credentials true;
    if ($request_method = OPTIONS) {
        add_header Content-Length 0;
        add_header Content-Type text/plain;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
        add_header Access-Control-Allow-Origin $http_origin;
        add_header Access-Control-Allow-Headers "Authorization, Content-Type";
        add_header Access-Control-Allow-Credentials true;
        return 200;
    }
    auth_basic            "Restricted Area";
    auth_basic_user_file  /var/www/admin.htpasswd;
}

I found a cleaner solution which lets node manage the request:

Put the following configuration inside "location" and remove any auth_basic from server. This will work.

  location / {
    # Your node proxy configuration for example #

    # Make options requests work #
    limit_except OPTIONS {
      auth_basic "Restricted access zone";
      auth_basic_user_file /etc/nginx/pass/protected;
    }
  }

Related

How would a PCAP filter look like to capture all DHCP related traffic?
Get-AzureRmResourceGroup not returning resources from current subscription
Copy folder and its subfolders from puppet master to agent
how can I mount a windows share with rw access?
How to refer to an existing uid and gid in Ansible?
Unix / Linux command to see finished or killed processes
How to improve AWS RDS Performance - Heavy read write updates
OpenSSL - Add Subject Alternate Name (SAN) when signing with CA
Getting Too many Open files error for Postgres
Amazon EFS Mount from OSX
Wildcard *.localhost SSL with Nginx and Chrome
What is a PCIe slot with an "x4 slot" and "x16 connector"?