Access-Control-Allow-Origin stopped working after NGINX installation

Operating System & Version
CentOS v7.9
cPanel & WHM Version
100.0.5

Intekhab

Member
Apr 22, 2007
7
0
151
Access-Control-Allow-Origin has been working fine for me.

I have the following on my PHP code:
<?php header("Access-Control-Allow-Origin: https://frontend.com"); ?>
It was serving fine with the server config.

But after I installed nginx as reverse proxy, it is no longer working.

Firefox web console shows error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://backend.com. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 401.

How do I make it to work again?
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,046
111
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! It looks like CORS needs to be set up differently in nginx. Does the following article help? It isn't an official cPanel article, but may have useful information.

 

Intekhab

Member
Apr 22, 2007
7
0
151
Actually looks like the issue was due to .htaccess blocking the IP.

The .htaccess there only allows access from my static IP. It was working fine with apace as it was passing my actual IP to .htaccess. But after NGINX reverse proxy it looks like it's passing server main IP to .htaccess as visitor ip.

Any way to solve it by making nginx passing the visitor IP (even its behind cloudflare) to .htaccess (for require IP matching)
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,796
1,530
313
cPanel Access Level
Root Administrator
@Intekhab - I'm not sure about the Cloudflare side of things, but we do mention that mod_remoteip should be installed as well in our documentation here:


Can you try that and see if that helps?
 

uk01

Well-Known Member
Dec 31, 2009
220
29
78
See further down here, I was using Magento and spent hours looking for the answer and tried about 500!

I added to the server configs, nginx configs, top level htaccess, everything, none worked. Then found this...

Scroll to "floorz commented on 26 Jul 2018"
It worked with cloudflare as soon as I added the first one

(screenhot attached)


****IMPORTANT EDIT****
Do not use the solution above, I found out it's wrong. I tested with fake domains and it made no difference. Yes it gets java working but it uses x-requested-with which we are not supposed to use. Infact it's only that line which triggers the java. It is not protected with the domains.

Use this...

<IfModule mod_headers.c>
Header add Access-Control-Allow-Origin "https://*.domain.com"
</IfModule>

It took me hours and hours to get this working.

A note to anyone else, if your CDN is loading from the /pub/static folder, you need to put this at the top of the htaccess file in the static folder, NOT in the top level htaccesss file which it says everywhere!!

Also wrap it in the mod header tags

Hope this helps someone, I got so stressed out with it!
 

Attachments

Last edited:
  • Like
Reactions: cPRex and Spirogg