cors problem with apache 2.2.15
i've read serveral posts but i can't find a solution for my problem:
conf.inc for grafana dashboard
<Location /grafana/dashboard/db/smart-meter-fault-management/>
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always append Access-Control-Allow-Origin: "http://10.17.52.50:18080"
Header always append Access-Control-Allow-Origin: "http://10.17.62.50:18080"
# Header add Access-Control-Allow-Origin: "172.20.16.140"
Order deny,allow
Deny from all
Allow from 10.17.52.50
Allow from 10.17.62.50
Allow from 10.17.62.150
Allow from 10.17.62.250
Allow from 10.17.72.50
Allow from 10.17.72.150
Allow from 10.17.72.250
Allow from 172.19.24.88
Allow from 172.20.6.140
</Location>
error on client
The 'Access-Control-Allow-Origin' header contains multiple values 'http://10.17.52.50:18080, http://10.17.62.50:18080',
but only one is allowed. Origin 'http://10.17.52.50:18080' is therefore not allowed access.
i've seen
Access-Control-Allow-Origin Multiple Origin Domains?
but how can i handle this with ip and not with domain?
regards
Related
I am using angularjs on the UI and it cant tell the difference between the server being down or a timeout both respond with something like the following. This is due to cors. When server is down or a request times out apache does not add the cors header.
"{"data":null,"status":0,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"url":"https://api.domain.com/containers/60539","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":""}"
How can I make sure that I get the proper 502/503 statuses back from apache on the GET request while having 200 on the options?
Thank you!
Current Config:
<VirtualHost *:443>
ServerName api.domain.com
<IfModule proxy_module>
ProxyRequests Off
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass / 1.1.1.1
Header set Access-Control-Allow-Origin "*"
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</IfModule>
SSLEngine on
SSLCertificateFile "${WILDCARDSSLCRT}"
SSLCertificateKeyFile "${WILDCARDSSLKEY}"
SSLCertificateChainFile "${WILDCARDSSLCHAIN}"
</VirtualHost>
Instead of Header set use Header always set:
Header always set Access-Control-Allow-Origin "*"
https://httpd.apache.org/docs/current/mod/mod_headers.html#Header explains:
The table that corresponds to always is used for locally generated error responses as well as successful responses.
And a couple of guides with some good guidance:
Getting CORS to work with Apache
Setting CORS (cross-origin resource sharing) on Apache with correct response headers allowing everything through
I am trying to set a header using mod_headers in Apache in all cases EXCEPT a certain path. I've tried each of the three variations below to do so, but none of them seem to work properly to exclude the path. In ALL cases I get the header for all requests, including those that match the example path, e.g.: http://example.com/charts/24_hour_commodity/450/300
<VirtualHost *:8200>
...
SetEnvIfNoCase Request_URI "^/charts/.*" frameallow
Header set X-Frame-Options SAMEORIGIN env=!frameallow
...
</VirtualHost>
Or:
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<LocationMatch "^/charts">
Header always unset X-Frame-Options
</LocationMatch>
...
</VirtualHost>
Or
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<Directory "/full/path/to/charts">
Header always unset X-Frame-Options
</Directory>
...
</VirtualHost>
#tried both with and without the 'always' in all configs
Can anyone help me figure out why the header is set in the first example or not unset in the following two? Any one working solution would be enough...
UPDATE:
After reading about order of processing on the Apache site, I tried using conditional blocks instead. Neither of those work either:
<If "%{REQUEST_URI} =~ m#^/charts#">
Header unset X-Frame-Options
</If>
Or
SetEnvIfNoCase Request_URI "^/charts" frameallow
<If "reqenv('frameallow') == 1">
Header unset X-Frame-Options
</If>
So, still broken. Must be something about the Header statements not firing after a certain point in processing. Or the ones int he conditional somehow firing before the main one and being overridden. Cannot find a way to debug it down to the root cause though.
Responses header with expression
Header always set Access-Control-Allow-Origin * "expr=%{REQUEST_URI} =~ m#^/specialPath$#"
this may add header wen the expr = true
http://httpd.apache.org/docs/current/mod/mod_headers.html
at the bottom of the section Header Directive
We have been having the problem where we get errors of the format.
Font from origin 'https://example.com' has been blocked from loading by
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'https://www.example.com' is therefore not allowed access.
We also get a "Redirect at origin" error.
We are using Drupal 7 and Cloudflare.
we have attempted to edit .htaccess to include
Header set Access-Control-Allow-Origin "https://example.com"
Header set Access-Control-Allow-Origin "https://www.example.com"
Tried quite a lot;
have purged cloudflare
restarted apache
tried wildcard "*"
Drupal CORS module
So far no joy.
As this approach is not working, I am wondering if something is being missed or if there is an alternate approach, such as why we are getting origin 'https://example.com' being in the request via Drupal and not 'https://www.example.com'.
Last note it that when I review some resources I see two distinct patterns.
If a resource has status of "301 Moved Permanently" in the request headers there is
Host www.example.com
Referer https://example.com/
Where the status is "304 Not Modified"
Host example.com
Referer https://example.com/
It's odd that there is any www at all; htaccess should be redirecting and it is absent from base_url.
I have experienced a very similar issue.
Be ensured that module headers is enabled
1 - To enable mod headers on Apache2 (httpd) you need to run this command:
sudo a2enmod headers
Then restart Apache
sudo service apache2 restart
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains for all files, add this in your .htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
## SECURITY WARNING : never add following line when site is in production
## Header set Access-Control-Allow-Origin "*"
</IfModule>
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains and for fonts only in our example, use FilesMatch like in the following section in your .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
</IfModule>
</FilesMatch>
After making changes in .htaccess file, no need to restart your apache webserver
I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.
The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden (403), in nginx to solve this problem I have used this:
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'X-AuthTokenHeader,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
How do I go about doing this in Apache? Please provide some preliminary guidance/comments, I will figure out the details after that and improve the question with granular details.
I had the same question and the answer given does not solve the problem.
By looking around more I found you could do this using the rewrite, e.g:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
(make sure you enable the rewrite mod)
Then you should use, the "always set" to set the headers, e.g:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
Add this to your .htaccess file to your apache root directory:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Make sure to activate the apache module headers:
a2enmod headers
Source: https://stackoverflow.com/a/11691776/1494875
If it helps -
I was using authentication so I also had to add following to make POST request work for me:
<LimitExcept OPTIONS>
Require valid-user
</LimitExcept>
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>