AtlasOfLivingAustralia · vjrj · Jun 5, 2020 · Feb 13, 2020 · Mar 13, 2020 · Mar 19, 2020
diff --git a/ansible/roles/nginx_vhost/defaults/main.yml b/ansible/roles/nginx_vhost/defaults/main.yml
@@ -92,3 +92,9 @@ nginx_rate_limit_burst: "80"
 
 # Set to true to disable disk buffering e.g. for downloading large files (sets proxy_max_temp_file_size to 0)
 nginx_disable_download_disk_buffering: False
+# Set this to configure cors to some regexp
+# Test your regexp of type PCRE with a tool like https://www.regextester.com/
+# Sample:  ^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)
+# nginx_cors_origin_regexp: '^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)'
+nginx_cors_headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
+nginx_cors_methods: "GET, POST, OPTIONS"
diff --git a/ansible/roles/nginx_vhost/tasks/main.yml b/ansible/roles/nginx_vhost/tasks/main.yml
@@ -146,6 +146,14 @@
   tags:
     - nginx_vhost
 
+- name: copy cors configuration if required
+  template:
+    src: "ala_cors.j2"
+    dest: "{{nginx_conf_dir}}/conf.d/ala_cors_{{appname}}"
+  when: nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 - name: add upstream fragment
   template:
     src: "fragment_02_upstream.j2"
@@ -273,6 +281,16 @@
   tags:
     - nginx_vhost
 
+- name: add cors fragment if required
+  template:
+    src: "fragment_74_location_cors.j2"
+    dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/http_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors"
+  with_items:
+    - "{{ nginx_paths}} "
+  when: (ssl | bool == False or (ssl | bool == True and force_https | bool == False)) and vhost_required | bool == True and nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 # if not ssl or (ssl and not force_https): copy (75 per path) http
 # basename filter returns last part of path e.g. for /ws returns ws, for / returns empty
 - name: if not using force_https, add location http fragments
@@ -354,6 +372,16 @@
   tags:
     - nginx_vhost
 
+- name: add cors fragment if required
+  template:
+    src: "fragment_74_location_cors.j2"
+    dest: "{{nginx_conf_dir}}/vhost_fragments/{{hostname}}/https_70_location_{{ item.sort_label | default(item.path | basename) }}_74_cors"
+  with_items:
+    - "{{ nginx_paths}} "
+  when: ssl | bool == True and vhost_required | bool == True and nginx_cors_origin_regexp is defined
+  tags:
+    - nginx_vhost
+
 # if ssl, copy (75 per path) https
 # example https location for /ws path: /etc/nginx/vhost_fragments/bie-test.ala.org.au/https_75_location_end_ws
 # basename filter returns last part of path e.g. for /ws returns ws, for / returns empty

diff --git a/ansible/roles/nginx_vhost/templates/ala_cors.j2 b/ansible/roles/nginx_vhost/templates/ala_cors.j2
@@ -0,0 +1,57 @@
+# Allow static fonts 
+location ~* .(eot|otf|svg|ttf|woff|woff2)$ {
+  add_header Access-Control-Allow-Origin *;
+}
+
+set $cors '';
+
+# Test your regexp of type PCRE with a tool like https://www.regextester.com/
+# Sample:  ^https?:\/\/(localhost|l-a\.site|.*\.l-a\.site)
+if ($http_origin ~* '{{ nginx_cors_origin_regexp }}') {
+  set $cors 'C';
+}
+
+# As multiple ifs are not allowed we follow this option
+# http://rosslawley.co.uk/archive/old/2010/01/04/nginx-how-to-multiple-if-statements/
+
+if ($request_method = GET) {
+  set $cors '${cors}GET';
+}
+
+if ($request_method = POST) {
+  set $cors '${cors}POST';
+}
+
+if ($request_method = OPTIONS) {
+  set $cors '${cors}OPTIONS';
+}
+
+# This is modified version of: https://enable-cors.org/server_nginx.html restricting to previous regexp
+
+if ($cors = COPTIONS) {
+  add_header 'Access-Control-Allow-Origin' '*';
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
+  #
+  # Custom headers and headers various browsers *should* be OK with but aren't
+  #
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
+  #
+  # Tell client that this pre-flight info is valid for 20 days
+  #
+  add_header 'Access-Control-Max-Age' 1728000;
+  add_header 'Content-Type' 'text/plain; charset=utf-8';
+  add_header 'Content-Length' 0;
+  return 204;
+}
+if ($cors = CPOST) {
+  add_header 'Access-Control-Allow-Origin' '*';
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
+  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+}
+if ($cors = CGET) {
+  add_header 'Access-Control-Allow-Origin' '*' always;
+  add_header 'Access-Control-Allow-Methods' '{{ nginx_cors_methods }}';
+  add_header 'Access-Control-Allow-Headers' '{{ nginx_cors_headers }}';
+  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+}
diff --git a/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2 b/ansible/roles/nginx_vhost/templates/fragment_74_location_cors.j2
@@ -0,0 +1,3 @@
+{% if nginx_cors_origin_regexp is defined and nginx_cors_origin_regexp|length > 0 %}
+        include /etc/nginx/conf.d/ala_cors_{{appname}};
+{% endif %}