Fatal编程技术网
  • php/
  • Php Laravel 5/Nginx-在web服务器级别设置CORS头的奇怪行为

Php Laravel 5/Nginx-在web服务器级别设置CORS头的奇怪行为

php nginx laravel-5 cors

Php Laravel 5/Nginx-在web服务器级别设置CORS头的奇怪行为,php,nginx,laravel-5,http-headers,cors,Php,Nginx,Laravel 5,Http Headers,Cors,我面对这个问题: 我在nginx中设置CORS头,方法如下: add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET

我面对这个问题:

我在nginx中设置CORS头,方法如下:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET,POST,PUT,OPTIONS";
add_header Access-Control-Allow-Headers "Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";
我需要调用API端点对用户进行身份验证并发布JWT。发生的情况是,如果身份验证正常,服务器将使用以下标头进行响应:

Access-Control-Allow-Headers →Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type
Access-Control-Allow-Methods →GET,POST,PUT,OPTIONS
Access-Control-Allow-Origin →*
Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:13:34 GMT
Server →nginx
Strict-Transport-Security →max-age=10886400; includeSubdomains
Transfer-Encoding →chunked
Vary →Accept-Encoding
X-Content-Type-Options →nosniff
X-Frame-Options →SAMEORIGIN
X-XSS-Protection →1; mode=block
但是,如果凭据无效,我会得到这些凭据:

Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:14:58 GMT
Server →nginx
Transfer-Encoding →chunked
Vary →Accept-Encoding
换句话说,正确的凭证为我提供带有CORS头的200状态代码,而错误的凭证为我提供不带CORS头的401状态代码

以下是用户控制器的身份验证方法:

public function authenticate(Requests\AuthenticateUserRequest $request)
    {
        $credentials = $request->only('username', 'password');
        $customClaims = ['tfa' => null];

        try
        {
            // attempt to verify the credentials and create a token for the user
            if (!$token = JWTAuth::attempt($credentials, $customClaims))
            {
                // when this is the response, CORS headers are not set by nginx 
                return response()->json(Utils::standardResponse(false, 'Invalid credentials'), 401);
            }
        } catch (JWTException $e)
        {
            // something went wrong whilst attempting to encode the token
            return response()->json(Utils::standardResponse(false, 'Could not create token'), 500);
        }

       [...email notification and other stuff...]

        // all good so return the token
        return response()->json(Utils::standardResponse(true, '', compact('token')));
    }
N.B.我正在使用Postman进行测试,但实际的问题是,如果没有CORS头,我无法在浏览器中读取响应(通过React
fetch使用XHR)解决。Nginx
add_header
仅在成功响应时设置header(200状态代码)

我确实需要使用nginx的模块。特别是,我做到了:


more_set_headers "Access-Control-Allow-Origin: *";
more_set_headers "Access-Control-Allow-Methods: GET,POST,PUT";
more_set_headers "Access-Control-Allow-Headers: Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";


正如文件中所建议的那样

如果未指定-s或-t,或列表值为空,则
不需要匹配。因此,以下指令设置
服务器输出头到any状态代码和any
内容类型:


更多设置标题“服务器:我的服务器”

当nginx version=1.7.5时,您可以始终在此处引用