HTTP 请求的 headers 没有 Origin
问题描述 投票:0回答:1
为什么HTTP请求头没有Origin? 从前端向后端发出任何请求后,我面临 CORS 冲突。
我有两个项目。两者都位于一台服务器上,具有一个公共 IP,但域不同。
项目#1:
前端(React.js)
IP - 84.201.143.32
域名 - https://place.nomoredomains.xyz
后端(Node.js、express、mongoDB)
IP - 84.201.143.32
域名 - https://api.place.nomoredomains.xyz
项目#2:
前端(React.js)
IP - 84.201.143.32
域名 - https://ypdiploma.nomoreparties.co/
后端(Node.js、express、mongoDB)
IP - 84.201.143.32
域名 - https://api.ypdiploma.nomoreparties.co
这两个项目都通过 Nginx 运行。
这是站点可用/默认配置:
server {
server_name api.place.nomoredomains.xyz;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/place.nomoredomains.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/place.nomoredomains.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name place.nomoredomains.xyz;
root /home/lexev/react-mesto-api-full-gha/frontend/build;
location / {
try_files $uri $uri/ /index.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/place.nomoredomains.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/place.nomoredomains.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name api.ypdiploma.nomoreparties.co;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/place.nomoredomains.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/place.nomoredomains.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name ypdiploma.nomoreparties.co;
root /home/lexev/ypdiploma/movies-explorer-frontend/build;
location / {
try_files $uri $uri/ /index.html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/place.nomoredomains.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/place.nomoredomains.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = place.nomoredomains.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name place.nomoredomains.xyz;
return 404; # managed by Certbot
}server {
if ($host = api.place.nomoredomains.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name api.place.nomoredomains.xyz;
return 404; # managed by Certbot
}
server {
if ($host = ypdiploma.nomoreparties.co) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ypdiploma.nomoreparties.co;
return 404; # managed by Certbot
}
server {
if ($host = api.ypdiploma.nomoreparties.co) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name api.ypdiploma.nomoreparties.co;
return 404; # managed by Certbot
}
项目 #1 工作正常,并发送所有带有 Origin 标头的请求,但项目 #2 不发送任何 Origin 标头。因此,我遇到了项目 #2 的 CORS 冲突。
项目 #1 HTTP 请求:
项目 #2 HTTP 请求:
CORS 错误:
我想你可能还需要 corsHandler 中间件代码:
const allowedCors = [
'https://ypdiploma.nomoreparties.co',
'http://ypdiploma.nomoreparties.co',
'https://ypdiploma.nomoreparties.co/',
'http://ypdiploma.nomoreparties.co/',
'http://localhost:3000',
];
const corsHandler = (req, res, next) => {
const { origin } = req.headers;
const { method } = req;
const DEFAULT_ALLOWED_METHODS = 'GET,HEAD,PUT,PATCH,POST,DELETE';
const requestHeaders = req.headers['access-control-request-headers'];
if (allowedCors.includes(origin)) {
res.header('Access-Control-Allow-Origin', origin);
res.header('Access-Control-Allow-Credentials', true);
}
if (method === 'OPTIONS') {
res.header('Access-Control-Allow-Methods', DEFAULT_ALLOWED_METHODS);
res.header('Access-Control-Allow-Headers', requestHeaders);
res.header('Access-Control-Allow-Credentials', true);
return res.end();
}
return next();
};
module.exports = { corsHandler };
这是我的应用程序:
require('dotenv').config();
const express = require('express');
const mongoose = require('mongoose');
const cookieParser = require('cookie-parser');
const { errors } = require('celebrate');
const helmet = require('helmet');
const { requestLogger, errorLogger } = require('./middlewares/logger');
const { corsHandler } = require('./middlewares/cors');
const { limiter } = require('./middlewares/limiter');
const errorHandler = require('./middlewares/errorHandler');
const { MONGOOSE_DB } = require('./constants/constants');
const { PORT = 3001 } = process.env;
const app = express();
mongoose.connect(MONGOOSE_DB);
app.use(helmet());
app.use(corsHandler);
app.use(express.json());
app.use(cookieParser());
app.use(requestLogger);
app.use('/', limiter, require('./routes/index'));
app.use(errorLogger);
app.use(errors());
app.use(errorHandler);
app.listen(PORT);
最后从前端部分获取:
class MainApi {
constructor() {
this._baseUrl = 'https://api.ypdiploma.nomoreparties.co'
this._headers = {
'Content-Type': 'application/json',
};
}
_getResponseData(res) {
if (res.ok) {
return res.json();
} else {
return Promise.reject(res);
}
}
getUserinfo() {
return fetch(this._baseUrl + '/users/me', {
headers: this._headers,
credentials: 'include',
}).then((res) => this._getResponseData(res));
}
}
const mainApi = new MainApi();
export default mainApi;
我尝试使用 Referer 标头实现 CORS 检查,但没有成功。我怀疑问题出在 NGINX 的默认配置中,但不幸的是我找不到哪里......
1个回答
0
投票
投票
您的逻辑会添加
Access-Control-Allow-CredentialsOPTIONS if (allowedCors.includes(origin)) {
res.header('Access-Control-Allow-Origin', origin);
res.header('Access-Control-Allow-Credentials', true); // added once
}
if (method === 'OPTIONS') {
res.header('Access-Control-Allow-Methods', DEFAULT_ALLOWED_METHODS);
res.header('Access-Control-Allow-Headers', requestHeaders);
res.header('Access-Control-Allow-Credentials', true); // added twice
return res.end();
}
您应该抵制通过手动设置 CORS 响应标头来“手动”实现 CORS 的诱惑;除非您非常熟悉 CORS 协议,否则这样做很容易出错。 Express.js 有一个 CORS 中间件;学习(安全地)配置它并使用它。
另请注意,将
http://ypdiploma.nomoreparties.co/https://ypdiploma.nomoreparties.co/最新问题
- Android 密钥库“未为用户设置 LSKF”
- Settings.py中的这个逻辑是关于数据库冗余的吗
- 如何在 Plotly 中将 Pandas 列设置为日期时间 x 轴
- tidyverse:在 R 中创建自定义分组变量
- 使用 C# 删除 CSV 文件中的字符串值
- Elasticsearch 错误:cluster_block_exception [FORBIDDEN/12/index 只读/允许删除 (api)],洪水阶段磁盘水位线超出
- 无法在 Pixela API 中创建新用户
- 以“TryParse”方式反序列化 json
- 一键停止打开多个窗口
- 电子邮件回复中的 RSA 技巧
- 地图图标的uni码是什么
- 需要 Lucene 4.1.0 源 jar 或 javadoc jar(以便在 Eclipse 中使用 Lucene 4.1.0 进行开发)
- 如何在Python中将Dict嵌套在Dict数组中?
- 有没有一种方法可以在模块级别调用时将函数注释为类型,但在类内部时显示其属性值?
- 如何高效地遍历Rust中的trait实现图?
- 求解耦合二阶 ODE,Python 中的数值
- 从右到左反转文本并举例
- 为什么即使调用了正确的先决中间件,也无法在全局 Laravel 中间件中访问 `$request->user()` ?
- Pandas 如何将列设置为日期时间列
- 如何对齐 SVG 内部的文本
© www.soinside.com 2019 - 2024. All rights reserved.