我有一个 .Net 6 应用程序,对于以下请求返回如下响应。请注意,有
Access-Control-Allow-Origin
礼物:
$ curl -i http://localhost:5081/Artworks/IMG_9346m.jpg -H "origin:https://m.beatajakimiak.art.pl" -H "referer:https://m.beatajakimiak.art.pl/" -o /dev/null -v
* Trying 127.0.0.1:5081...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (127.0.0.1) port 5081 (#0)
> GET /Artworks/IMG_9346m.jpg HTTP/1.1
> Host: localhost:5081
> User-Agent: curl/7.81.0
> Accept: */*
> origin:https://m.beatajakimiak.art.pl
> referer:https://m.beatajakimiak.art.pl/
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 465767
< Content-Type: image/jpeg
< Date: Thu, 24 Aug 2023 20:23:16 GMT
< Server: Kestrel
< Accept-Ranges: bytes
< Access-Control-Allow-Origin: https://m.beatajakimiak.art.pl
< ETag: "1d837e79f7d7b67"
< Last-Modified: Mon, 14 Mar 2022 21:08:16 GMT
< Vary: Origin
<
{ [16384 bytes data]
100 454k 100 454k 0 0 39.8M 0 --:--:-- --:--:-- --:--:-- 40.3M
* Connection #0 to host localhost left intact
我什至在托管nginx和这个网站的机器上打开了5081端口一段时间,直接调用。
Access-Control-Allow-Origin
就在那里。 CORS 请求运行良好。我可以在 chrome 开发工具的响应标头中看到标头。
我为其配置了 Nginx 代理,如下所示:
server {
server_name beatajakimiak.art.pl www.beatajakimiak.art.pl;
include /etc/nginx/snippets/global.conf;
include /etc/nginx/snippets/global_images_cache.conf;
#access_log /var/log/nginx/beatajakimiak_art_pl/access.log;
error_log /var/log/nginx/beatajakimiak_art_pl/error.log;
root /srv/www/beatajakimiakwebsite/wwwroot;
location / {
proxy_pass http://localhost:5081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl; # managed by Certbot
... SSL CONFIGURATION ...
}
global.conf 看起来像这样:
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
location ~ /\.ht {
deny all;
}
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
global_images_cache.conf 看起来像这样:
location ~* \.(?:jpg|jpeg|gif|png|ico|woff2)$ {
expires 1M;
add_header Cache-Control "public";
}
现在,使用此配置,如果我使用相同的卷曲调用我的网站,我不会在响应中收到 Access-Control-Allow-Origin 标头。我尝试使用其他自定义标头,但它们也没有转发到响应:
$ curl -i https://beatajakimiak.art.pl/Artworks/IMG_9346m.jpg -H "origin:https://m.beatajakimiak.art.pl" -H "referer:https://m.beatajakimiak.art.pl/" -o /dev/null -v
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 83.11.166.97:443...
[... TLS ...]
> GET /Artworks/IMG_9346m.jpg HTTP/2
> Host: beatajakimiak.art.pl
> user-agent: curl/7.81.0
> accept: */*
> origin:https://m.beatajakimiak.art.pl
> referer:https://m.beatajakimiak.art.pl/
>
[... TLS ...]
< HTTP/2 200
< server: nginx/1.18.0 (Ubuntu)
< date: Thu, 24 Aug 2023 20:24:08 GMT
< content-type: image/jpeg
< content-length: 465767
< last-modified: Mon, 14 Mar 2022 21:08:16 GMT
< etag: "622faec0-71b67"
< expires: Sat, 23 Sep 2023 20:24:08 GMT
< cache-control: max-age=2592000
< cache-control: public
< accept-ranges: bytes
<
[... TLS ...]
100 454k 100 454k 0 0 7416k 0 --:--:-- --:--:-- --:--:-- 7456k
* Connection #0 to host beatajakimiak.art.pl left intact
我的配置有什么问题,它隐藏了响应标头?
我终于找到了。我添加到每个网站的默认 nginx
global_images_cache.conf
片段是处理静态 jpg 文件而不是代理网站的请求。
从网站的 nginx 配置中排除
global_images_cache.conf
解决了我的问题。