Nginx WebDAV 模块忽略 CORS 标头

Posted

技术标签:

【中文标题】Nginx WebDAV 模块忽略 CORS 标头【英文标题】:Nginx WebDAV module ignoring CORS headers 【发布时间】:2019-02-04 20:31:26 【问题描述】:

我正在使用 nginx 运行 WebDAV。我有一个 JS 应用程序将其用作存储。问题是 WebDAV 扩展正在删除我在配置中使用“add_header”添加的标头。

server 
  # IP, Certificates, fullpath, autoindex ...
  dav_methods      PUT DELETE MKCOL COPY MOVE;
  dav_ext_methods  PROPFIND OPTIONS;
  dav_access       user:rw group:rw all:rw;

  location / 
    root /srv/http/content;

    # Preflighted requests
    if ($request_method = OPTIONS) 
      add_header "Access-Control-Allow-Origin" *;
      add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth";
      return 200;
    

    if ($request_method = (GET|POST|HEAD|DELETE|PROPFIND)) 
      add_header "Access-Control-Allow-Origin" *;
      add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";

当我从我的应用程序打开 WebDAV 连接时,它会请求 OPTIONS,然后是 PROPFIND。请求 OPTIONS 通过正确的 CORS 标头传递,但 PROPFIND 失败,因为没有设置 CORS 标头。 请注意配置中OPTIONS 的特殊情况,我强制Nginx 返回Http200。然后出现标题。但是当让 WebDAV 完成时,所有 CORS 标头都会消失。

有人规避了这种行为吗?

【问题讨论】:

【参考方案1】:

我遇到了同样的问题。

尝试将always 关键字添加到add_header 语句:

add_header "Access-Control-Allow-Origin" * always;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth" always;

add_header 文档:

语法:add_header name value [always];

将指定字段添加到响应标头,前提是 响应码等于 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307(1.1.16、1.0.13)或 308(1.13.0)。 [...] 如果总是参数 已指定(1.7.5),将添加标题字段,而不管 响应代码。

https://nginx.org/en/docs/http/ngx_http_headers_module.html

【讨论】:

【参考方案2】:

其实是 nginx 的 webdav 的一个 bug。我能够使用 lighttpd 快速运行 webdav(带有 CORS、身份验证和 SSL)。我的示例配置

server.port         = 81
server.username     = "http"
server.groupname    = "http"
server.modules      = (
    "mod_webdav",
    "mod_auth",
    "mod_setenv", # before mod_status, very important!
    "mod_status",
    "mod_openssl"
    )
server.document-root= "/srv/http/content"
server.errorlog     = "/var/log/lighttpd/error.log"
ssl.engine          = "enable"
ssl.pemfile         = "/etc/ssl/webdav.key"
webdav.activate     = "enable"
auth.backend        = "htpasswd"
auth.backend.htpasswd.userfile = "/srv/http/passwd"
setenv.add-response-header     = (
    "Access-Control-Allow-Origin" => "*",
    "Access-Control-Allow-Methods" => "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND",
    "Access-Control-Allow-Headers" => "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since,Cache-Control, Content-Range, Range, Depth, Content-Length"
    )
mimetype.assign     = (
                ".html" => "text/html",
                ".txt" => "text/plain",
                ".css" => "text/css",
                ".js" => "application/x-javascript",
                ".jpg" => "image/jpeg",
                ".jpeg" => "image/jpeg",
                ".gif" => "image/gif",
                ".png" => "image/png",
                "" => "application/octet-stream"
            )

【讨论】:

以上是关于Nginx WebDAV 模块忽略 CORS 标头的主要内容,如果未能解决你的问题,请参考以下文章

django-cors-headers 和 nginx 配置:预检响应缺少 CORS 标头

nginx实战 WebDAV 模块 http_dav_module

Spring Boot Cors“Access-Control-Max-Age”标头被浏览器忽略

调用 AWS Lambda 时,Chrome 忽略 Access-Control-Allow-Origin 标头并因预检错误导致 CORS 失败

数字海洋 NGINX 和 gunicorn 上的 CORS 标头访问控制缺少 django

Laravel 5 / Nginx - 在 Web 服务器级别设置的 CORS 标头的奇怪行为