Nginx之CORS（Cross-Origin Resource Sharing，跨來源資源共享）來實現防止盜連多媒體資源

IT_man

以下是gist.github.com支援reverse proxied APIs的範例:

# CORS header support
( l& I0 P, K! E9 a7 ~+ q( g#
# One way to use this is by placing it into a file called "cors_support"
# under your Nginx configuration directory and placing the following
# statement inside your **location** block(s):
#
" P0 W) X8 I- f$ J5 g  @#   include cors_support;
#
# As of Nginx 1.7.5, add_header supports an "always" parameter which
: V1 S$ j& H. |+ d3 I# allows CORS to work if the backend returns 4xx or 5xx status code.
#
# For more information on CORS, please see: http://enable-cors.org/
# Forked from this Gist: https://gist.github.com/michiel/1064640
#
4 x2 H' p8 M0 f8 Q) w) m
* {* k% @* ^+ ], Q$ U) sset $cors '';
7 F8 l9 m# h! F9 e+ G4 eif ($http_origin ~ '^https?://(localhost|www\.yourdomain\.com|www\.yourotherdomain\.com)$') {
4 S$ I" C  Z5 N1 @9 c        set $cors 'true';
}

if ($cors = 'true') {
0 H! K# X, H8 P# n6 O3 y        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
# w& m) v1 @9 O, }, A4 n; B        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
& Z* p- C  A$ U2 a4 \' v6 q7 z        # required to be able to read Authorization header in frontend
* r- Z1 T7 X. S" J        #add_header 'Access-Control-Expose-Headers' 'Authorization' always;
$ [- \3 M3 o7 V- }: D4 l$ y7 q}

/ O- u. N( o3 k5 r! Lif ($request_method = 'OPTIONS') {
        # Tell client that this pre-flight info is valid for 20 days
- c+ F5 O: g. K  z: H1 o        add_header 'Access-Control-Max-Age' 1728000;
6 q" `1 o; ^& y' Y        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
& v) l; a3 E, ^" V. b1 i        return 204;
3 @; t6 L) L1 A3 Z& M& }# m( \+ [}

https://gist.github.com/Stanback/7145487#file-nginx-conf 的討論範例:
! @6 _* O3 l+ l5 Z- i1 i$ H) x

if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {     return 444;
: D; B/ G7 S' w* q% x" O}
set $origin $http_origin;
if ($origin !~ '^https?://(subdom1|subdom2)\.yourdom\.zone$') {
4 T  G# x7 i: L6 \1 S     set $origin 'https://default.yourdom.zone';
$ b2 G4 `( |7 L1 V8 @, z+ p}
: t0 J2 V* N$ g( A# Cif ($request_method = 'OPTIONS') {
. J1 V# [/ u3 z2 z     add_header 'Access-Control-Allow-Origin' "$origin" always;
     add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
" O3 ]" r* o& B0 [4 Y     add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
/ g2 j  X2 x4 h; ^# c. x4 C+ Y     add_header 'Access-Control-Allow-Credentials' 'true' always;
% K$ [8 S' [; |4 F2 v$ Z1 e     add_header Access-Control-Max-Age 1728000;   #20 days   
     add_header Content-Type 'text/plain charset=UTF-8';
     add_header Content-Length 0;
- E; H% {, e$ x: h  H* q* {     return 204;
1 }. k2 N: X6 v}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
' Q6 z' @4 i0 V' `0 g1 K) l5 V% a. \     add_header Access-Control-Allow-Origin "$origin" always;
     add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
     add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
     add_header Access-Control-Allow-Credentials true always;
}

Access-Control-Allow-Origin Multiple Origin Domains? 的例子:

# based on https://gist.github.com/4165271/
/ }* o0 u- Y/ t& w* W0 }4 B  M+ r#
, C5 q- y4 a! R7 \1 `$ O# Slightly tighter CORS config for nginx
: \; I% I7 ?7 b#
# A modification of https://gist.github.com/1064640/ to include a white-list of URLs
#
6 l; O  K6 _) c# s, B; \# Despite the W3C guidance suggesting that a list of origins can be passed as part of
# Access-Control-Allow-Origin headers, several browsers (well, at least Firefox)
: X+ Q. |! ~1 z; T9 }# don't seem to play nicely with this.
8 ^# y; P$ ?* r! D) O3 E0 d+ `#
) H: x5 T) M) I6 B+ Y9 ?1 o  o3 O# To avoid the use of 'Access-Control-Allow-Origin: *', use a simple-ish whitelisting
# method to control access instead.
% K3 D! u0 I+ I4 }0 K% K( {#
3 g  _; U+ O5 c4 m# NB: This relies on the use of the 'Origin' HTTP Header.
( Y9 |1 Z, }; H/ D0 i
location / {

+ Z' Y* x, y9 |5 @* F6 ]9 Z6 K/ s; v    if ($http_origin ~* (^https?://([^/]+\.)*(domainone|domaintwo)\.com$)) {
        set $cors "true";
/ X: L0 Q6 l: E4 a/ Z    }

; {/ y; L7 X: ]) b    # Nginx doesn't support nested If statements. This is where things get slightly nasty.
    # Determine the HTTP request method used
    if ($request_method = 'OPTIONS') {
0 P4 i9 {8 l' M8 V- ]" \        set $cors "${cors}options";
. n( k% f3 ?* r2 ~" l. E    }
1 l! b+ |  N& ]# V& {8 C    if ($request_method = 'GET') {
        set $cors "${cors}get";
4 d, |; a8 l, h  g    }
    if ($request_method = 'POST') {
        set $cors "${cors}post";
& a* f+ d- a2 I3 L6 \    }
8 b2 {+ r# G3 _+ P# l3 n3 ]
    if ($cors = "true") {
. L& Z" J+ k- p. T        # Catch all incase there's a request method we're not dealing with properly
. {, M0 L+ D5 d5 J# `$ e6 s) o1 ]4 }% ~        add_header 'Access-Control-Allow-Origin' "$http_origin";
    }

6 i! r, s% I: X! n! F" [3 g! v5 D    if ($cors = "trueget") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
# u* P3 q! F( ?1 G# }        add_header 'Access-Control-Allow-Credentials' 'true';
5 p6 V4 }" P) W: b! t5 g# O        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
& }( ^( d+ s  ~4 V1 _  X) O# m) B    }

    if ($cors = "trueoptions") {
3 D4 f4 j$ m5 }. S& l" F9 U        add_header 'Access-Control-Allow-Origin' "$http_origin";

' E+ r; m+ F/ W1 n+ s        #
+ S: X$ e3 P* I$ J2 d& u        # Om nom nom cookies
        #
+ R$ n' W/ |% K- n        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
/ M0 C* i# L/ b, D2 \6 V
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
7 \- A! \! A5 \1 S        #
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

! j# G8 ]  T" z8 A: |6 S        #
7 V" N, A9 `6 o/ M) ~; d2 M        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
0 K! V0 F, W8 u9 W/ I, H( c# l' {        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
  m" o2 j. J. C0 q+ {4 m$ q& k# [        return 204;
    }
; P  S- {; Y# n& F8 P) p
: m: ]: \- |' h2 O- K    if ($cors = "truepost") {
+ s. o/ _: I- v4 Q9 ?; D        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
: A2 y) v- d! d) \/ u    }

* R* p8 }: J- e. M( u" j}

" r, l# d+ b( h7 S" d: Q
" ~7 m  p4 X- g) H4 U/ M