How can I replace Access-Control-Allow-Origin header in proxy response with nginx
I am using a simple nginx instance to proxy REST calls to another server. The purpose of my proxy is to allow the use of cookies for authentication. I have it working, except for one problem. The server providing the REST service is sending the header Access-Control-Allow-Origin *
. That header is too permissive for cookie based authentication. I need to replace that header with one that is more restrictive.
Here is a subset of my nginx config:
map $http_origin $cors_header {
default "";
"~^https?://[^/]+\.mydomain\.com(:[0-9]+)?$" $http_origin;
}
server {
location / {
proxy_pass https://myrestserver.com/api;
add_header Access-Control-Allow-Origin $cors_header;
add_header Access-Control-Allow-Credentials true;
}
}
My problem is that I end up with two Access-Control-Allow-Origin
headers present in my response. How can I replace the header that comes back from the REST server so that only my version of the header is present in the final response?
Solution 1:
The best thing to do would be to change the response on the REST server side, but, assuming you don't have control of the REST server, there is a module for Nginx that can modify headers called ngx_headers_more: https://github.com/openresty/headers-more-nginx-module
You'll have to install the module (this will likely involve building nginx from source and adding the module in ./configure, as described in the github readme). For your specific problem, once you install it you can add this directive in any block
more_set_headers "Access-Control-Allow-Origin: $cors_header"
Solution 2:
this works without extra nginx modules
proxy_hide_header 'access-control-allow-origin';
add_header 'access-control-allow-origin' '*';