nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 3 weeks ago verified publisher icon NginxProxyManager

CORS error

Open arladmin opened this issue 2 years ago • 12 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug

I keep running into CORS issues with my app (which is behind Nginx Proxy Manager).

Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.

Nginx Proxy Manager Version

2.9.19

To Reproduce

This is my config, under Custom Locations (location = '/')

proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;


add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,Accept';

This is the response in the browser, for the OPTIONS api call: image

If i change the config to this:

proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_buffering off;
proxy_cache off;

then the response becomes this--> image

What could be the issue here? And how do i go about resolving it?

Thanks.

arladmin avatar Mar 16 '23 16:03 arladmin

Any insights, anyone?

arladmin avatar Mar 21 '23 03:03 arladmin

Use this

add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

mebonline avatar Jan 15 '24 13:01 mebonline

Hey any updates on this? I'm getting the same issues. My headers are not getting added. Or they seem to get added twice, which also breaks CORS.

CampAsAChamp avatar Apr 30 '24 05:04 CampAsAChamp

Hey there,

I think I may also be facing a similar issue using NPM with the "Your_Spotify" self-hosted dashboard - everything works when I use localhost redirects for Oauth, but as soon as I redirect via my FQDN, I get CORS errors. I tried adding the headers mentioned above, but to no effect

image

Specifically, it's an SSL cipher mismatch error which seems to be caused by the CORS misbehavior:

Screenshot from 2024-05-23 19-09-02

kmanwar89 avatar May 23 '24 23:05 kmanwar89

Try edit data/nginx/proxy_host/x.conf (x means your website id 1 or 2 or 3 etc.,) like this

# ------------------------------------------------------------
# abc.domain.com
# ------------------------------------------------------------



map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "xxx.xxx.xxx.xxx";
  set $port           xxxx;

  listen 80;
listen [::]:80;


  server_name abc.domain.com;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;







  location / {

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP		$remote_addr;

    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';    

    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

mebonline avatar May 24 '24 20:05 mebonline

This issue still exists in v2.11.2!

arladmin avatar Jun 23 '24 01:06 arladmin

Additionally, don't know why, but after editing the x.conf file manually, the following config resolves this issue:

server {
   ...
   
   add_header 'Access-Control-Allow-Origin' $http_origin always;

   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
   add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type' always;
   add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
   ...
   location / {
      ...
          proxy_hide_header 'access-control-allow-origin';    
      ...
   }
}

Now, the issue that remains is: it's seemingly not possible to set the above config via the GUI. Because, if any config added via the 'Custom Locations' setting, goes into the location block only.

@jc21

Why is this so? And, how to be able to set this config via GUI itself?

arladmin avatar Jun 23 '24 02:06 arladmin

Additionally, don't know why, but after editing the x.conf file manually, the following config resolves this issue:

server {
   ...
   
   add_header 'Access-Control-Allow-Origin' $http_origin always;

   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
   add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type' always;
   add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
   ...
   location / {
      ...
          proxy_hide_header 'access-control-allow-origin';    
      ...
   }
}

Now, the issue that remains is: it's seemingly not possible to set the above config via the GUI. Because, if any config added via the 'Custom Locations' setting, goes into the location block only.

@jc21

Why is this so? And, how to be able to set this config via GUI itself?

today i had a similar issue, just added a "custom locations" in that particular proxy host via. web gui

location : "/" Scheme, Hostname and Forward Port exactly the same as in Details

Press the gear symbol and i added the following in the "custom NGINX configuration" field:

add_header 'Access-Control-Allow-Origin' '*';

add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';

add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

after that change, the CORS issue was gone and my homer dashboard finaly showed the uptime value

Frittenstaebchen avatar Jun 24 '24 14:06 Frittenstaebchen

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Jan 15 '25 02:01 github-actions[bot]

I still have the same issue

mityax avatar Feb 16 '25 16:02 mityax

Anyone have a solution to cross domain CORS?

I tried using the configs above but they did nothing.

Zyles avatar Jun 30 '25 21:06 Zyles

Anyone have a solution to cross domain CORS?

I tried using the configs above but they did nothing.

same issue for me adding mentioned configs to advanced tab didn't work for me either

Ximerixx avatar Jul 06 '25 13:07 Ximerixx