Nginxda cors sozlamalari

index

Kirish

Cors - asosan begona domenlardan asosiy domen ma’lumotlarini boshqarish uchun ishlatiladi. Odatda bu texnologiyadan frontend dasturchilar judayam yaxshi xabardor bo’lishadi. Chunki api so’rovlar uchun har doim cors sozlamalari muhim rol o’ynaydi. Lekin masalaning asosiy tomoni shudaki biz doim ham cors sozlamalari to’g’ri ko’rsatmaymiz. Brauzerlar rivojlangani sari ularning turali va standartlari ham ko’paymoqda. Masalan mozillada bir standart bo’lsa, chromeda boshqa standart qo’llaniladi. Oddiy misolda safari brauzerida wildcard (yulduzcha) orqali berilgan cors sozlamalari xavfsizlik talablari sabab ishlamaydi.(shuni yaqinda bildim hay)

Nginxning har doimgidek hayratlarni konfiguratsiyalari cors sozlamalari uchunam alohida e’tibor qaratishni talab qiladi. Nginx juda ko’plab imkoniyatlarga egaligi sababli unda cors sozlamalarini ham turlicha sozlash imkoni mavjud. Bugun esa aynan shu confiratsiyaning kerakli domenlarni filtrlay olish kabi metodi bilan ko’rib chiqamiz.

Map moduli

Nginxda map moduli xuddi boshqa tillardagi switch yoki match case kabi ishlaydi. U bilan ma’lum o’zgaruvchini turli shartlar asosida tekshirib boshqa o’zgaruvchiga nusxalash yoki alohida qiymatda e’lon qilish mumkin.

masalan:

1
map $uri $new_uri {
2
    /old.html /new.html;
3
}
4

5
server {
6
    if ($new_uri) {
7
        rewrite ^ $new_uri permanent;
8
    }
9
}
10

11
yoki:
12

13
```nginx
14
map $uri $new_uri {
15
    /old-page      /new-page;
16
    /products.html /shop/;
17
    /about-old     /about-us;
18
}
19

20
server {
21
    if ($new_uri) {
22
        rewrite ^ $new_uri permanent;
23
    }
24
}

Yuqoridagi konfiguratsiyalar orqali eski sahifaga murojaat kuzatilganda uni yangi sahifaga yo’naltirsak bo’ladi.

Yoki nginx geoip moduli (Maxmind deyiladi o’zi) orqali resurslarni faqat kerakli mamlakatlar uchun ruxsat berishni sozlasak:

1
map $geoip_country_code $allowed_country {
2
    default no;
3
    country_code_1 yes;
4
    country_code_2 yes;
5
}
6

7
server {
8
  if ($allowed_country = no) {
9
        return 403;
10
    }
11
}

Endi yuqoridagi misollar bilan keyinchalik cors sozlamalarida kerakli hostlarni boshqarishni ko’rsak bo’ladi.

1
map $http_origin $cors_origin_header {
2
    default "";
3
    "http://cctld.uz" "$http_origin";
4
    "https://cctld.uz" "$http_origin";
5
    "~^https?://.*.cctld.uz$" "$http_origin";
6
}
7

8
map $http_origin $cors_cred {
9
    default "";
10
    "http://cctld.uz" "true";
11
    "https://cctld.uz" "true";
12
    "~^https?://.*.cctld.uz$" "true";
13
}

Lekini bor ya’ni map modulida regexdan ham foydalanish mumkin, uchinchi shartdagi regex bu subdomenlar tekshiruvi uchun ishlay oladi masalan.

Http sarlavhalar:

Sarlavhalarni nginxda http_headers_module orqali moduli bilan boshqarish mumkin, bu uchun add_header ‘key’ ‘value’; shaklida kerakli qatorlarni kiritishning o’zi yetarli.

shunda bu uchun yakuniy konfiguratsiya:

1
map $http_origin $cors_origin_header {
2
    default "";
3
    "http://cctld.uz" "$http_origin";
4
    "https://cctld.uz" "$http_origin";
5
    "~^https?://.*.cctld.uz$" "$http_origin";
6
}
7

8
map $http_origin $cors_cred {
9
    default "";
10
    "http://cctld.uz" "true";
11
    "https://cctld.uz" "true";
12
    "~^https?://.*.cctld.uz$" "true";
13
}
14

15
server {
16
  location / {
17
    if ($request_method = 'OPTIONS') {
18
      add_header 'Access-Control-Allow-Origin' '$cors_origin_header';
19
        add_header 'Access-Control-Allow-Credentials' '$cors_cred';
20
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
21
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
22
        add_header 'Access-Control-Max-Age' 1728000;
23
        add_header 'Content-Type' 'text/plain charset=UTF-8';
24
        add_header 'Content-Length' 0;
25
        return 204;
26
    }
27

28
    if ($request_method = 'POST') {
29
      add_header 'Access-Control-Allow-Origin' '$cors_origin_header';
30
        add_header 'Access-Control-Allow-Credentials' '$cors_cred';
31
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
32
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
33
    }
34

35
    if ($request_method = 'GET') {
36
      add_header 'Access-Control-Allow-Origin' '$cors_origin_header';
37
        add_header 'Access-Control-Allow-Credentials' '$cors_cred';
38
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
39
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
40
    }
41
  }
42
}