# Handling CORS headers for handling cross-origin requests example # See https://developer.mozilla.org/en/docs/Web/HTTP/CORS # TODO: check if origin is set. If missing then do not add CORS headers # TODO: handle ports in origin # check if origin header is among allowed ones map $http_origin $cors_origin { hostnames; # all domains and subdomains for my-site.com or *.my-site.com can request contents # E.g. www.my-site.com can request data from api.my-site.com .my-site.com $http_origin; 'http://api.my-site.com:7777' $http_origin; # handle non-standard port # add more domains where non-standard port usage is expected... # fallback otherwise default www.my-site.com; # my canonical host name # in developer mode use next line instead of previous one # default '*'; # allow all cross-origin requests. Not for production! } # check if CORS "simple request" (it does not require preflight requests) is done that we support map $request_method $cors_is_simple_request { 'GET' 1; 'POST' 1; 'HEAD' 1; default 0; # not simple request or not suppported by application method } server { listen 80; listen 7777; # non-standard port. May be used in development see handling above server_name my-site.com www.my-site.com api.my-site.com; # use the same host as docker container app root /var/www/site.com; access_log /var/log/nginx/my-site.access.log; error_log /var/log/nginx/my-site.error.log notice; # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; # handling static files - js, css, png... location /static/ { # processing preflight requests if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $cors_origin; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'OPTIONS, GET, POST, PUT, DELETE, PATCH'; # specify allowed headers for passing over request from client to server add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization'; # add extra headers to preflight response to cache results for some time add_header 'Access-Control-Max-Age' 86400; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; # indicate that responses may vary based on these provided headers add_header 'Vary' 'Accept-Encoding, Origin'; # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; return 204; } # handling simple requests that are not preflighted if ($cors_is_simple_request) { add_header 'Access-Control-Allow-Origin' $cors_origin; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE, PATCH'; add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization'; add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range'; add_header 'Vary' 'Accept-Encoding, Origin'; # add more CORS headers here and other blocks... # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; } } # handling dynamic files - with cgi # see https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ location / { # processing preflight requests if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $cors_origin; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'OPTIONS, GET, POST, PUT, DELETE, PATCH'; # specify allowed headers for passing over request from client to server add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization'; # add extra headers to preflight response to cache results for some time add_header 'Access-Control-Max-Age' 86400; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; # indicate that responses may vary based on these provided headers add_header 'Vary' 'Accept-Encoding, Origin'; # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; return 204; } rror_page 418 = @cors; recursive_error_pages on; # handling simple requests that are not preflighted if ($cors_is_simple_request) { # otherwise this if-block will break php forworing for try_files return 418; } try_files $uri /index.php$is_args$args; } location @cors { # Flag "always" will force headers to return with disregard to response status code # will show headers only if files exist in given file system - see try_files add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE, PATCH' always; add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always; add_header 'Vary' 'Accept-Encoding, Origin' always; # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; try_files $uri /index.php$is_args$args; internal; } location ~ ^/index\.php(/|$) { fastcgi_pass btc-php:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; include fastcgi_params; # When you are using symlinks to link the document root to the # current version of your application, you should pass the real # application path instead of the path to the symlink to PHP # FPM. # Otherwise, PHP's OPcache may not properly detect changes to # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126 # for more information). fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; # Prevents URIs that include the front controller. This will 404: # http://domain.tld/index.php/some-path # Remove the internal directive to allow URIs like this internal; if ($cors_is_simple_request) { # Flag "always" will force headers to return with disregard to response status code add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE, PATCH' always; add_header 'Access-Control-Allow-Headers' 'DNT, User-Agent, X-Requested-With, If-Modified-Since, Content-Type, Cache-Control, Authorization' always; add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always; add_header 'Vary' 'Accept-Encoding, Origin' always; # add optional headers... add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; } } location ~ /\.(?!well-known).* { deny all; } location ~* \.(tpl|inc|sql)$ { deny all; } location ~ /\.git { deny all; } # return 404 for all other php files not matching the front controller # this prevents access to other php files you don't want to be accessible. location ~ \.php$ { return 404; } # ... put your regular web host configs }