Nginx WebDAV 模块忽略 CORS headers
Nginx WebDAV module ignoring CORS headers
我是 运行 使用 Nginx 的 WebDAV。我有一个 JS 应用程序使用它作为存储。问题是 WebDAV 扩展正在删除我在配置中使用 "add_header" 添加的 headers。
server {
# IP, Certificates, fullpath, autoindex ...
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:rw;
location / {
root /srv/http/content;
# Preflighted requests
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth";
return 200;
}
if ($request_method = (GET|POST|HEAD|DELETE|PROPFIND)) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
}
}
}
当我从我的应用程序打开 WebDAV 连接时,它请求 OPTIONS,然后是 PROPFIND。请求 OPTIONS 通过具有正确的 CORS headers 但 PROPFIND 失败,因为没有设置 CORS headers。
请注意配置中 OPTIONS 的特殊情况,我强制 Nginx 为 return Http200。然后 headers 出现。但是当让 WebDAV 完成时,所有 CORS headers 都消失了。
有人规避过这种行为吗?
其实是nginx的webdav的bug。我能够使用 lighttpd 快速获得 webdav(使用 CORS、身份验证和 SSL)运行。我的示例配置
server.port = 81
server.username = "http"
server.groupname = "http"
server.modules = (
"mod_webdav",
"mod_auth",
"mod_setenv", # before mod_status, very important!
"mod_status",
"mod_openssl"
)
server.document-root= "/srv/http/content"
server.errorlog = "/var/log/lighttpd/error.log"
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/webdav.key"
webdav.activate = "enable"
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/srv/http/passwd"
setenv.add-response-header = (
"Access-Control-Allow-Origin" => "*",
"Access-Control-Allow-Methods" => "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND",
"Access-Control-Allow-Headers" => "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since,Cache-Control, Content-Range, Range, Depth, Content-Length"
)
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".css" => "text/css",
".js" => "application/x-javascript",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".gif" => "image/gif",
".png" => "image/png",
"" => "application/octet-stream"
)
我遇到了同样的问题。
尝试将 always 关键字添加到 add_header 语句:
add_header "Access-Control-Allow-Origin" * always;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth" always;
add_header 文档:
Syntax: add_header name value [always];
Adds the specified field to a response header provided that the
response code equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304,
307 (1.1.16, 1.0.13), or 308 (1.13.0). [...] If the always parameter
is specified (1.7.5), the header field will be added regardless of the
response code.
我是 运行 使用 Nginx 的 WebDAV。我有一个 JS 应用程序使用它作为存储。问题是 WebDAV 扩展正在删除我在配置中使用 "add_header" 添加的 headers。
server {
# IP, Certificates, fullpath, autoindex ...
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:rw group:rw all:rw;
location / {
root /srv/http/content;
# Preflighted requests
if ($request_method = OPTIONS) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth";
return 200;
}
if ($request_method = (GET|POST|HEAD|DELETE|PROPFIND)) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
}
}
}
当我从我的应用程序打开 WebDAV 连接时,它请求 OPTIONS,然后是 PROPFIND。请求 OPTIONS 通过具有正确的 CORS headers 但 PROPFIND 失败,因为没有设置 CORS headers。
请注意配置中 OPTIONS 的特殊情况,我强制 Nginx 为 return Http200。然后 headers 出现。但是当让 WebDAV 完成时,所有 CORS headers 都消失了。
有人规避过这种行为吗?
其实是nginx的webdav的bug。我能够使用 lighttpd 快速获得 webdav(使用 CORS、身份验证和 SSL)运行。我的示例配置
server.port = 81
server.username = "http"
server.groupname = "http"
server.modules = (
"mod_webdav",
"mod_auth",
"mod_setenv", # before mod_status, very important!
"mod_status",
"mod_openssl"
)
server.document-root= "/srv/http/content"
server.errorlog = "/var/log/lighttpd/error.log"
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/webdav.key"
webdav.activate = "enable"
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/srv/http/passwd"
setenv.add-response-header = (
"Access-Control-Allow-Origin" => "*",
"Access-Control-Allow-Methods" => "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND",
"Access-Control-Allow-Headers" => "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since,Cache-Control, Content-Range, Range, Depth, Content-Length"
)
mimetype.assign = (
".html" => "text/html",
".txt" => "text/plain",
".css" => "text/css",
".js" => "application/x-javascript",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".gif" => "image/gif",
".png" => "image/png",
"" => "application/octet-stream"
)
我遇到了同样的问题。
尝试将 always 关键字添加到 add_header 语句:
add_header "Access-Control-Allow-Origin" * always;
add_header "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK, PROPFIND" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, DNT, X-CustomHeader, Keep-Alive,User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Range, Range, Depth" always;
add_header 文档:
Syntax: add_header name value [always];
Adds the specified field to a response header provided that the response code equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or 308 (1.13.0). [...] If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.