cors.conf

# $cors_enabled - "true" or "false" (required)
# $cors_allow_methods — string separated by comma (optional, default: see $cors_allow_methods_default)
# $cors_allow_headers — string separated by comma (optional, default: see $cors_allow_headers_default)
# $cors_allow_headers_force — for 'allow header' without default, string separated by comma (optional)
# $cors_allow_credentials — "true" or "false" (optional, default: false)
# $cors_allow_expose_headers — string (optional, default: "Content-Disposition")
# $cors_vary — string or "false" (optional, default: "Origin")
# $cors_max_age — number (optional, default: 86400)
# $cors_verbose - "true" or "false" (optional, default: false)
# $cors_debug - "true" or "false" (optional, default: false)


set $cors_preflight 'false';
set $cors_vary_default 'Origin';
set $cors_allow_origin $http_origin;
set $cors_allow_methods_default 'OPTIONS, GET, POST';
set $cors_allow_headers_default 'DNT, Authorization, Origin, X-Requested-With, X-Host, X-Request-Id, Timing-Allow-Origin, Content-Type, Accept, Content-Range, Range, Keep-Alive, User-Agent, If-Modified-Since, Cache-Control, Content-Type';
set $cors_allow_expose_headers_default 'Content-Disposition';

uninitialized_variable_warn off;

# Default: methods
if ($cors_allow_methods = '') {
	set $cors_allow_methods $cors_allow_methods_default;
}

# Required: headers
if ($cors_allow_headers ~ '.+') {
	set $cors_allow_headers "$cors_allow_headers_default, $cors_allow_headers";
}

# Default: headers
if ($cors_allow_headers = '') {
	set $cors_allow_headers $cors_allow_headers_default;
}

# Default: allow headers (force)
if ($cors_allow_headers_force = '') {
	set $cors_allow_headers_force '';
}

# Force: allow headers?
if ($cors_allow_headers_force ~ '.+') {
	set $cors_allow_headers $cors_allow_headers_force;
}

# Default: credentials
if ($cors_allow_credentials = '') {
	set $cors_allow_credentials 'false';
}

# Default: expose headers
if ($cors_allow_expose_headers = '') {
	set $cors_allow_expose_headers $cors_allow_expose_headers_default;
}

# Default: vary
if ($cors_vary = '') {
	set $cors_vary $cors_vary_default;
}

# Default: max age
if ($cors_max_age = '') {
	set $cors_max_age '86400';
}

# Check: Vary
if ($cors_vary = 'false') {
	set $cors_vary '';
}

# Preflight?
if ($request_method = 'OPTIONS') {
	set $cors_preflight 'true';
}

# Enabled?
if ($cors_enabled !~ '^true$') {
	set $cors_enabled 'disabled';
	set $cors_preflight 'disabled';
	set $cors_allow_credentials 'disabled';
}

# Default: debug
if ($cors_debug = '') {
	set $cors_debug 'false';
}

# Default: $cors_path
if ($cors_path = '') {
	set $cors_path '<<empty>>';
}

# Default: $cors_client
if ($cors_client = '') {
	set $cors_client '<<empty>>';
}

# Default: $cors_service
if ($cors_service = '') {
	set $cors_service '<<empty>>';
}

# Allow requested
if ($cors_enabled = 'true') {
	set $cors_allow_origin_value $cors_allow_origin;
	set $cors_vary_value $cors_vary;
	set $cors_allow_expose_headers_value $cors_allow_expose_headers;
}

# Preflight headers
if ($cors_preflight = 'true') {
	set $cors_allow_methods_value $cors_allow_methods;
	set $cors_allow_headers_value $cors_allow_headers;
	set $cors_max_age_value $cors_max_age;
}

# With credentials?
if ($cors_allow_credentials = 'true') {
	set $cors_allow_credentials_value 'true';
}

# Verbose
if ($cors_verbose = '') {
	set $cors_verbose 'false';
}

if ($cors_verbose = 'true') {
	set $cors_enabled_verbose $cors_enabled;
	set $cors_service_vebose $cors_service;
	set $cors_client_vebose $cors_client;
}

add_header X-CORS-Verbose-Enabled $cors_enabled_verbose;
add_header X-CORS-Verbose-Service $cors_service_vebose;
add_header X-CORS-Verbose-Client $cors_client_vebose;

# CORS
add_header Access-Control-Allow-Origin $cors_allow_origin_value always;
add_header Access-Control-Allow-Methods $cors_allow_methods_value;
add_header Access-Control-Allow-Headers $cors_allow_headers_value;
add_header Access-Control-Expose-Headers $cors_allow_expose_headers_value;
add_header Access-Control-Allow-Credentials $cors_allow_credentials_value;
add_header Access-Control-Max-Age $cors_max_age_value;
add_header Vary $cors_vary_value always;

# Debug
if ($cors_debug = 'true') {
    set $cors_debug_enabled $cors_enabled;
    set $cors_debug_preflight $cors_preflight;
    set $cors_debug_service $cors_service;
    set $cors_debug_client $cors_client;
    set $cors_debug_path $cors_path;
    set $cors_debug_http_origin $http_origin;
    set $cors_debug_request "$scheme://$host$request_uri";
    set $cors_debug_request_method $request_method;
    set $cors_debug_allow_origin $cors_allow_origin;
    set $cors_debug_allow_methods $cors_allow_methods;
    set $cors_debug_allow_headers $cors_allow_headers;
    set $cors_debug_allow_credentials $cors_allow_credentials;
    set $cors_debug_allow_expose_headers $cors_allow_expose_headers;
    set $cors_debug_max_age $cors_max_age;
    set $cors_debug_vary $cors_vary;

    set $cors_debug_allow_origin_value $cors_allow_origin_value;
    set $cors_debug_allow_methods_value $cors_allow_methods_value;
    set $cors_debug_allow_headers_value $cors_allow_headers_value;
    set $cors_debug_allow_credentials_value $cors_allow_credentials_value;
    set $cors_debug_allow_expose_headers_value $cors_allow_expose_headers_value;
    set $cors_debug_max_age_value $cors_max_age_value;
}

add_header X-CORS-Debug-Enabled $cors_debug_enabled always;
add_header X-CORS-Debug-Preflight $cors_debug_preflight always;
add_header X-CORS-Debug-Service $cors_debug_service always;
add_header X-CORS-Debug-Client $cors_debug_client always;
add_header X-CORS-Debug-Path $cors_debug_path always;
add_header X-CORS-Debug-Http-Origin $cors_debug_http_origin always;
add_header X-CORS-Debug-Request $cors_debug_request always;
add_header X-CORS-Debug-Request-Method $cors_debug_request_method always;

add_header X-CORS-Debug-Var-Origin $cors_debug_allow_origin always;
add_header X-CORS-Debug-Var-Methods $cors_debug_allow_methods always;
add_header X-CORS-Debug-Var-Headers $cors_debug_allow_headers always;
add_header X-CORS-Debug-Var-Credentials $cors_debug_allow_credentials always;
add_header X-CORS-Debug-Var-Headers $cors_debug_allow_expose_headers always;
add_header X-CORS-Debug-Var-Max-Age $cors_debug_max_age always;
add_header X-CORS-Debug-Var-Vary $cors_debug_vary always;

add_header X-CORS-Debug-Access-Control-Allow-Origin $cors_debug_allow_origin_value always;
add_header X-CORS-Debug-Access-Control-Allow-Methods $cors_debug_allow_methods_value always;
add_header X-CORS-Debug-Access-Control-Allow-Headers $cors_debug_allow_headers_value always;
add_header X-CORS-Debug-Access-Control-Allow-Credentials $cors_debug_allow_credentials_value always;
add_header X-CORS-Debug-Access-Control-Expose-Headers $cors_debug_allow_expose_headers_value always;
add_header X-CORS-Debug-Access-Control-Max-Age $cors_debug_max_age_value always;

# Preflight
if ($cors_preflight = 'true') {
    return 204;
}