Disable authentication for HTTP OPTIONS method (preflight request) in Nginx
19,279
Solution 1
Here's the solution I came up with. It insolves duplicating all the CORS add_header directives though.
location /api/ {
proxy_pass http://127.0.0.1:14000;
proxy_set_header Host $host;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Allow-Credentials true;
if ($request_method = OPTIONS) {
add_header Content-Length 0;
add_header Content-Type text/plain;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Allow-Credentials true;
return 200;
}
auth_basic "Restricted Area";
auth_basic_user_file /var/www/admin.htpasswd;
}
Solution 2
I found a cleaner solution which lets node manage the request:
Put the following configuration inside "location" and remove any auth_basic from server. This will work.
location / {
# Your node proxy configuration for example #
# Make options requests work #
limit_except OPTIONS {
auth_basic "Restricted access zone";
auth_basic_user_file /etc/nginx/pass/protected;
}
}
Related videos on Youtube
06 : 06
Learn CORS In 6 Minutes
12 : 35
CORS, Preflight Request, OPTIONS Method | Access Control Allow Origin Error Explained
![CORS Error & Solutions In A Nutshell [Cross Origin Resource Sharing]](https://i.ytimg.com/vi/gPzMRoPDrFk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCL9ZbwLoTEYnPYQFHRmL1ZdqSvVg)
04 : 07
CORS Error & Solutions In A Nutshell [Cross Origin Resource Sharing]
02 : 21
DevOps & SysAdmins: Disable authentication for HTTP OPTIONS method (preflight request) in Nginx
18 : 24
Securing Nginx Web Server | Hackersploit Linux Security
06 : 16
How to Password Protect Nginx with Basic Authentication
Author by
cleong
Updated on September 18, 2022Comments
-
cleong over 1 year
My problem is the exact same one as described here: Disable authentication for HTTP OPTIONS method (preflight request). I'm trying to use CORS and HTTP passwords at the same time. When the browser see an bounced OPTIONS (status code 401), for some reason it'll immediate check for the CORS headers (which will be absent) and reject the request.
Here's my config:
location /api/ { proxy_pass http://127.0.0.1:14000; proxy_set_header Host $host; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Origin $http_origin; add_header Access-Control-Allow-Headers "Authorization, Content-Type"; add_header Access-Control-Allow-Credentials true; auth_basic "Restricted Area"; auth_basic_user_file /var/www/admin.htpasswd; } -
Jan Koriťák over 7 yearsIf you use the headers_more module, you'll be able to avoid redundancy and configure this in more clean way: gist.github.com/anonymous/b843bd579041188441f51a7805cf537e
