Access-Control-Allow-Origin stopped working after NGINX installation

[Intekhab]

Access-Control-Allow-Origin has been working fine for me.

I have the following on my PHP code:
<?php header("Access-Control-Allow-Origin: https://frontend.com"); ?>
It was serving fine with the server config.

But after I installed nginx as reverse proxy, it is no longer working.

Firefox web console shows error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://backend.com. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 401.

How do I make it to work again?

 

[cPanelAnthony]

Hello! It looks like CORS needs to be set up differently in nginx. Does the following article help? It isn't an official cPanel article, but may have useful information.

How to Enable CORS in Apache and Nginx?

Restrict or allow resource sharing between sites using CORS header. CORS (Cross-Origin Resource Sharing) header is supported on all modern browsers. Can I

geekflare.com

 

[Intekhab]

Actually looks like the issue was due to .htaccess blocking the IP.

The .htaccess there only allows access from my static IP. It was working fine with apace as it was passing my actual IP to .htaccess. But after NGINX reverse proxy it looks like it's passing server main IP to .htaccess as visitor ip.

Any way to solve it by making nginx passing the visitor IP (even its behind cloudflare) to .htaccess (for require IP matching)

 

[cPRex]

@Intekhab - I'm not sure about the Cloudflare side of things, but we do mention that mod_remoteip should be installed as well in our documentation here:

NGINX with Reverse Proxy | cPanel & WHM Documentation

This document explains how to install NGINX with Reverse Proxy on a server that runs cPanel & WHM and EasyApache 4.

docs.cpanel.net

Can you try that and see if that helps?

 

[uk01]

See further down here, I was using Magento and spent hours looking for the answer and tried about 500!

I added to the server configs, nginx configs, top level htaccess, everything, none worked. Then found this...

how to set CORS Origin Url value? · Issue #4 · splashlab/magento-2-cors-requests

Hi, I have configured CORS Origin Url to * or https://cdn.magentobiz.com, but both value was not working for me, it still show following errors: (index):1 Access to Font at 'https://cdn.magentobiz....

github.com

Scroll to "floorz commented on 26 Jul 2018"
It worked with cloudflare as soon as I added the first one

(screenhot attached)


****IMPORTANT EDIT****
Do not use the solution above, I found out it's wrong. I tested with fake domains and it made no difference. Yes it gets java working but it uses x-requested-with which we are not supposed to use. Infact it's only that line which triggers the java. It is not protected with the domains.

Use this...

<IfModule mod_headers.c>
Header add Access-Control-Allow-Origin "https://*.domain.com"
</IfModule>

It took me hours and hours to get this working.

A note to anyone else, if your CDN is loading from the /pub/static folder, you need to put this at the top of the htaccess file in the static folder, NOT in the top level htaccesss file which it says everywhere!!

Also wrap it in the mod header tags

Hope this helps someone, I got so stressed out with it!