From ac9467364caca89f56cad16fcba9fb1b812de219 Mon Sep 17 00:00:00 2001 From: khorshuheng Date: Thu, 9 Jan 2025 00:59:18 +0800 Subject: [PATCH] fix: CORS setup to allow localhost:3000 to access api endpoint --- doc/DEPLOYMENT.md | 14 ++++++++++++-- nginx/nginx.conf | 37 +++++++++++++++++-------------------- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/doc/DEPLOYMENT.md b/doc/DEPLOYMENT.md index 365fe917a..bb65676a1 100644 --- a/doc/DEPLOYMENT.md +++ b/doc/DEPLOYMENT.md @@ -164,8 +164,18 @@ docker logs to be served on a different origin that the one used for AppFlowy Cloud (eg. if you are hosting `appflowy cloud` on `appflowy.home.com`, `appflowy_web` may be hosted on `web.appflowy.home.com`). The source code and deployment guide can be found in this [repository](https://github.com/AppFlowy-IO/AppFlowy-Web). -- To prevent CORS issues, you will need to change `set $appflowy_web "http://localhost:3000";` in `nginx/nginx.conf` - to the origin where you are hosting `appflowy_web`. +- To prevent CORS issues, you will need to add your AppFlowy Web origin. By default, we allow requests from `localhost:3000`, + using, the configuration below: + ``` + map $http_origin $cors_origin { + # AppFlowy Web origin + "~^http://localhost:3000$" $http_origin; + default "null"; + } + ``` + Replace `http://localhost:3000` with your AppFlowy Web origin. + + ## Ports diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 5bec835aa..1f4bd1dee 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -14,6 +14,12 @@ http { '' close; } + map $http_origin $cors_origin { + # AppFlowy Web origin + "~^http://localhost:3000$" $http_origin; + default "null"; + } + server { listen 8080; @@ -33,7 +39,6 @@ http { client_max_body_size 10M; underscores_in_headers on; - set $appflowy_web_origin "http://localhost:3000"; set $appflowy_cloud_backend "http://appflowy_cloud:8000"; set $gotrue_backend "http://gotrue:9999"; set $admin_frontend_backend "http://admin_frontend:3000"; @@ -66,19 +71,6 @@ http { } # AppFlowy-Cloud - # created a separate location block for handling CORS preflight (OPTIONS) requests specifically for the /api endpoint. - location = /api/options { - if ($http_origin ~* ($appflowy_web_origin)) { - add_header 'Access-Control-Allow-Origin' $http_origin; - } - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH'; - add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, Accept, Client-Version'; - add_header 'Access-Control-Max-Age' 3600; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - location /api/chat { proxy_pass $appflowy_cloud_backend; @@ -101,9 +93,7 @@ http { proxy_set_header Host $http_host; # Handle CORS - if ($http_origin ~* ($appflowy_web_origin)) { - add_header 'Access-Control-Allow-Origin' $http_origin always; - } + add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, Accept' always; add_header 'Access-Control-Max-Age' 3600 always; @@ -130,10 +120,17 @@ http { proxy_set_header X-Forwarded-Proto $scheme; # Set CORS headers for other requests - if ($http_origin ~* ($appflowy_web_origin)) { - add_header 'Access-Control-Allow-Origin' $http_origin always; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' $cors_origin always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, Accept, Client-Version' always; + add_header 'Access-Control-Max-Age' 3600 always; + return 204; } - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH' always; + + add_header 'Access-Control-Allow-Origin' $cors_origin always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, Accept, Client-Version' always; add_header 'Access-Control-Max-Age' 3600 always;