Re: Problems with CORS

"Robin H. Johnson" <robbat2@xxxxxxxxxx> · Sun, 22 Oct 2017 20:10:46 +0000

On Sun, Oct 22, 2017 at 01:31:03PM +0000, Rudenko Aleksandr wrote:
> In past we rewrite http response header by Apache rules for our
> web-interface and pass CORS check. But now it’s impossible to solve on
> balancer level.
You CAN modify the CORS responses at the load-balancer level.

Find below the snippets needed to do it in HAProxy w/ Jewel-Civetweb;
specifically, this completely overrides the CORS if the Origin matches some
strings.

We use this to override the CORS for access via our customer interface panel,
so regardless of what CORS they set on the bucket, the panel always works.

frontend ...
  # Store variable for using later in the response.
  http-request set-var(txn.origin) req.hdr(Origin)
  acl override_cors var(txn.origin) -m end -i SOMEDOMAIN
  acl override_cors var(txn.origin) -m sub -i SOMEDOMAIN
  # Export fact as a boolean
  http-request set-var(txn.override_cors) bool(true) if override_cors
  http-request set-var(txn.override_cors) bool(false) unless override_cors

backend ...
  # We inject Origin headers for ..., so we must declare to the client
  # that the might be different in other requests.
  http-response add-header Vary Origin if { var(txn.origin) -m len gt 1
  # If the origin is the Panel, then override the CORS headers
  acl override_cors var(txn.override_cors),bool
  # 1. if OPTIONS: Override any 403 error to say it's ok instead
  # 403 means the OPTIONS request was being denied by the RGW as it didn't match.
  acl res_status_403 status eq 403 
  http-response set-status 200 if res_status_403 override_cors METH_OPTIONS
  # 2. if OPTIONS: Valid CORS has length 0
  http-response set-header Content-Length 0 if override_cors METH_OPTIONS
  # 3. Override CORS headers
  http-response set-header Access-Control-Allow-Headers origin,\ content-length,\ content-type,\ content-md5 if override_cors
  http-response set-header Access-Control-Allow-Origin %[var(txn.origin)] if override_cors
  http-response set-header Access-Control-Allow-Methods GET,\ HEAD,\ POST,\ OPTIONS,\ PUT,\ DELETE if override_cors
  http-response set-header Access-Control-Max-Age 600 if override_cors

> 
> What is right way?
> 
> ---
> Best regards,
> 
> Aleksandr Rudenko
> 
> 

> _______________________________________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   : robbat2@xxxxxxxxxx
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
Attachment:
signature.asc

Description: Digital signature
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com