Merge branch '314-make-the-api-cors-compliant' into 'django'

New location rule to manage CORS for API only. Closes #314 See merge request !171

Merge branch '314-make-the-api-cors-compliant' into 'django'
New location rule to manage CORS for API only. Closes #314 See merge request !171
8877a9c4 · BAIRE Anthony · bb48f4b4 · c87d973c · 8877a9c4
Commit 8877a9c4 authored May 13, 2019 by BAIRE Anthony
--- a/django/setup/files/etc/nginx/conf.d/allgo.conf.template
+++ b/django/setup/files/etc/nginx/conf.d/allgo.conf.template
@@ -78,6 +78,36 @@ server
 	try_files $uri/index.html $uri.html $uri @django;
  }

+  location /api/v1
+  {
+     if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+
+        add_header 'Access-Control-Max-Age' 1728000;
+        add_header 'Content-Type' 'text/plain; charset=utf-8';
+        add_header 'Content-Length' 0;
+
+        # Custom headers and headers various browsers *should* be OK with but aren't
+        #
+        add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
+
+        return 204;
+    }
+
+    add_header Access-Control-Allow-Origin "*";
+
+    # proxy_redirect off; # work without it, maybe it's bad to remove it
+    proxy_pass http://django;
+
+    # header set to distinguish between requests going directly from nginx and
+    # requests going through aio
+    #
+    # This is a security feature. Django trusts this value (like the
+    # X-Forwarded-* headers), do not remove it !
+    proxy_set_header	X-Origin	"nginx";
+  }
+
  location @django
  {
    proxy_redirect off;