使用nginx启用和验证CORS

w7t8yxp5 于 2023-04-11 发布在 Nginx

关注(0)|答案(1)|浏览(211)

我试图理解和测试CORS功能，通过启用它的nginx的web服务器和proxypass请求后端 flask 为基础的应用程序。这里是细节。
1.后端 flask 应用程序

[admin@fedser flask]$ cat postjson.py 
from flask import Flask, request

app = Flask(__name__)

@app.route('/postjson', methods=['POST'])
def process_json():
    content_type = request.headers.get('Content-Type')
    if (content_type == 'application/json'):
        json = request.json
        return json
    else:
        return 'Content-Type not supported!'

JSON数据示例

[admin@fedser flask]$ cat postdata.json 
{
"name": {
    "firstname": "Alice",
    "middlename": "Wonder",
    "lastname": "land"
},
"age": 20,
"gender": "Male"
}

启动 flask 应用程序

[admin@fedser flask]$ flask --app postjson run --host=fedser.stack.com --port=2121 &

1.使用proxypass在nginx上启用CORS并重新启动服务

[admin@fedser nginx]$ cat nginx.conf
...
server {
    location /proxyflask {
        add_header Access-Control-Allow-Origin "fedser.stack.com";
        proxy_pass http://fedser.stack.com:2121/postjson;
    }
    }
...

1.测试CORS功能
根据我对CORS功能的理解，如果请求来自同一来源，在我的情况下，来源是“fedser.stack.com”，则应允许如下。

[admin@fedser flask]$ curl -X POST -H "Content-type: application/json" 'http://fedser.stack.com/proxyflask' -d @postdata.json -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.29.117:80...
* Connected to fedser.stack.com (192.168.29.117) port 80 (#0)
> POST /proxyflask HTTP/1.1
> Host: fedser.stack.com
> User-Agent: curl/7.85.0
> Accept: */*
> Content-type: application/json
> Content-Length: 106
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.22.1
< Date: Wed, 05 Apr 2023 02:58:58 GMT
< Content-Type: application/json
< Content-Length: 96
< Connection: keep-alive
< Access-Control-Allow-Origin: fedser.stack.com
< 
{"age":20,"gender":"Male","name":{"firstname":"Alice","lastname":"land","middlename":"Wonder"}}
* Connection #0 to host fedser.stack.com left intact

但是如果我通过设置头将Origin更改为“example.com”，我假设它应该根据我启用的cors限制阻止我的请求，但它不会以这种方式发生。

[admin@fedser flask]$ curl -X POST -H "Content-type: application/json" -H "Origin: http://example.com" 'http://fedser.stack.com/proxyflask' -d @postdata.json -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.168.29.117:80...
* Connected to fedser.stack.com (192.168.29.117) port 80 (#0)
> POST /proxyflask HTTP/1.1
> Host: fedser.stack.com
> User-Agent: curl/7.85.0
> Accept: */*
> Content-type: application/json
> Origin: http://example.com
> Content-Length: 106
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.22.1
< Date: Wed, 05 Apr 2023 02:46:05 GMT
< Content-Type: application/json
< Content-Length: 96
< Connection: keep-alive
< Access-Control-Allow-Origin: fedser.stack.com
< 
{"age":20,"gender":"Male","name":{"firstname":"Alice","lastname":"land","middlename":"Wonder"}}
* Connection #0 to host fedser.stack.com left intact

请让我知道，如果我错过了一些东西在这里和我的理解有关cors。

nginx

来源：https://stackoverflow.com/questions/75935332/enable-and-validate-cors-using-nginx