Php Laravel 5/Nginx-在web服务器级别设置CORS头的奇怪行为
我面对这个问题: 我在nginx中设置CORS头,方法如下:Php Laravel 5/Nginx-在web服务器级别设置CORS头的奇怪行为,php,nginx,laravel-5,http-headers,cors,Php,Nginx,Laravel 5,Http Headers,Cors,我面对这个问题: 我在nginx中设置CORS头,方法如下: add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET,POST,PUT,OPTIONS";
add_header Access-Control-Allow-Headers "Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";
我需要调用API端点对用户进行身份验证并发布JWT。发生的情况是,如果身份验证正常,服务器将使用以下标头进行响应:
Access-Control-Allow-Headers →Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type
Access-Control-Allow-Methods →GET,POST,PUT,OPTIONS
Access-Control-Allow-Origin →*
Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:13:34 GMT
Server →nginx
Strict-Transport-Security →max-age=10886400; includeSubdomains
Transfer-Encoding →chunked
Vary →Accept-Encoding
X-Content-Type-Options →nosniff
X-Frame-Options →SAMEORIGIN
X-XSS-Protection →1; mode=block
但是,如果凭据无效,我会得到这些凭据:
Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:14:58 GMT
Server →nginx
Transfer-Encoding →chunked
Vary →Accept-Encoding
换句话说,正确的凭证为我提供带有CORS头的200状态代码,而错误的凭证为我提供不带CORS头的401状态代码
以下是用户控制器的身份验证方法:
public function authenticate(Requests\AuthenticateUserRequest $request)
{
$credentials = $request->only('username', 'password');
$customClaims = ['tfa' => null];
try
{
// attempt to verify the credentials and create a token for the user
if (!$token = JWTAuth::attempt($credentials, $customClaims))
{
// when this is the response, CORS headers are not set by nginx
return response()->json(Utils::standardResponse(false, 'Invalid credentials'), 401);
}
} catch (JWTException $e)
{
// something went wrong whilst attempting to encode the token
return response()->json(Utils::standardResponse(false, 'Could not create token'), 500);
}
[...email notification and other stuff...]
// all good so return the token
return response()->json(Utils::standardResponse(true, '', compact('token')));
}
N.B.我正在使用Postman进行测试,但实际的问题是,如果没有CORS头,我无法在浏览器中读取响应(通过React
fetch使用XHR)
解决。Nginxadd_header
仅在成功响应时设置header(200状态代码)
我确实需要使用nginx的模块。特别是,我做到了:
more_set_headers "Access-Control-Allow-Origin: *";
more_set_headers "Access-Control-Allow-Methods: GET,POST,PUT";
more_set_headers "Access-Control-Allow-Headers: Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";
正如文件中所建议的那样
如果未指定-s或-t,或列表值为空,则
不需要匹配。因此,以下指令设置
服务器输出头到any状态代码和any
内容类型:
更多设置标题“服务器:我的服务器”代码>
当nginx version=1.7.5时,您可以始终在此处引用