cors-anywhere icon indicating copy to clipboard operation
cors-anywhere copied to clipboard

Published 20 hours ago verified publisher icon Rob--W

Not able to self host, Not working as intended.

Open peopledrivemecrazy opened this issue 5 years ago • 8 comments 

// Listen on a specific host via the HOST environment variable
var host = process.env.HOST || '0.0.0.0';
// Listen on a specific port via the PORT environment variable
var port = process.env.PORT || 8080;
 
var cors_proxy = require('cors-anywhere');
cors_proxy.createServer({
    originWhitelist: [], // Allow all origins
    requireHeader: ['origin', 'x-requested-with'],
    removeHeaders: ['cookie', 'cookie2']
}).listen(port, host, function() {
    console.log('Running CORS Anywhere on ' + host + ':' + port);
});

base code from example and export PORT=8080 and export CORSANYWHERE_WHITELIST=https://my.domain.com/

Endpoints return

This API enables cross-origin requests to anywhere.

Usage:

/               Shows help
/iscorsneeded   This is the only resource on this host which is served without CORS headers.
/<url>          Create a request to <url>, and includes CORS headers in the response.

If the protocol is omitted, it defaults to http (https if port 443 is specified).

Cookies are disabled and stripped from requests.

Redirects are automatically followed. For debugging purposes, each followed redirect results
in the addition of a X-CORS-Redirect-n header, where n starts at 1. These headers are not
accessible by the XMLHttpRequest API.
After 5 redirects, redirects are not followed any more. The redirect response is sent back
to the browser, which can choose to follow the redirect (handled automatically by the browser).

The requested URL is available in the X-Request-URL response header.
The final URL, after following all redirects, is available in the X-Final-URL response header.


To prevent the use of the proxy for casual browsing, the API requires either the Origin
or the X-Requested-With header to be set. To avoid unnecessary preflight (OPTIONS) requests,
it's recommended to not manually set these headers in your code.


Demo          :   https://robwu.nl/cors-anywhere.html
Source code   :   https://github.com/Rob--W/cors-anywhere/
Documentation :   https://github.com/Rob--W/cors-anywhere/#documentation

peopledrivemecrazy avatar Jul 19 '20 19:07 peopledrivemecrazy

You've shown the server part only. Where is the client-side code?

And note that the environment variable only works if you use the default server.js from CORS Anywhere. The code snippet at the top uses cors-anywhere as a library, with an empty originWhitelist. If you want to restrict requests to a specific origin, use originWhitelist: ["https://my.domain.com"], instead (note: / is not at the end because an origin is port + :// + host (hostname + optional port separator & port).

Rob--W avatar Jul 19 '20 19:07 Rob--W 

	async function fetchInfo() {
		const res = await fetch(`${CORS}${URL}`).then(async data => {
			let d = await data.json();
			...
		})
		setTimeout(fetchInfo, 15000)
	}
 fetchInfo()

Something like this on the client side.

Let me try cloning repo.

peopledrivemecrazy avatar Jul 19 '20 19:07 peopledrivemecrazy

If I use the http://IP:8080 of the instance it seems to work, I have configured vhosts for the port 8080 and works on https://my.domain.com and it is behind a cloudflare.

Also If I use the server.js after cloning it again works with http://IP:8080 and not https://my.domain.com

peopledrivemecrazy avatar Jul 19 '20 20:07 peopledrivemecrazy

So CORS Anywhere and your application are at the same origin? If so, you need to set the X-Requested-With request header, so that CORS Anywhere allows the request to go through.

CORS Anywhere requires either the Origin header or X-Requested-With to prevent direct requests (when visiting in the browser), because that's would be a huge security issue for your website. See my comments at https://github.com/Rob--W/cors-anywhere/issues/39 for more info.

Rob--W avatar Jul 19 '20 21:07 Rob--W

No, they do not have same origin. Application is at (https://application.domain.com) and wants to use the cors server https://cors.domain.com/

The request structure from the client side will be https://cors.domain.com/https://api-resource.com/endpoint and client is expecting a JSON response. BTW https://cors-anywhere.herokuapp.com/ seems to work fine.

peopledrivemecrazy avatar Jul 20 '20 06:07 peopledrivemecrazy

Could it be that your server (in front of Node.js) normalizes URLs, such that /http://example.com/ becomes /http:/example.com/? That is a common mistake, see e.g. https://github.com/Rob--W/cors-anywhere/issues/143 (nginx) and https://github.com/Rob--W/cors-anywhere/issues/201 (Apache).

Rob--W avatar Jul 20 '20 12:07 Rob--W

No, doesn't look like it the client points to the right URL.

this is the config

<VirtualHost *:80>
     ServerName cors.domain.com
     ServerAlias cors.domain.com
     ServerAdmin webmaster@localhost
     ProxyPreserveHost Off

    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

peopledrivemecrazy avatar Jul 20 '20 16:07 peopledrivemecrazy

I don't understand what you're trying to say in your last comment.

In any case, have you tried putting a different Node.js application behind it, to see if the request.url is as expected?

require("http").createServer((req, res) => {
 res.end(req.url);
}).listen(8080);

and then send the request and check whether the returned URL matches the input URL.

Rob--W avatar Jul 20 '20 21:07 Rob--W