Merge pull request #304 from coreruleset/add-cors-headers-default-nginx

feat: add cors headers default nginx

README.md

@@ -208,6 +208,10 @@ These variables are common to image variants and will set defaults based on the
 
 | Name     | Description|
 | -------- | ------------------------------------------------------------------- |
+| CORS_HEADER_403_ALLOW_ORIGIN | The value of the [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header for `403` responses. Determines which origins can access the response. (Default: `"*"`). |
+| CORS_HEADER_403_ALLOW_METHODS | The value of the [Access-Control-Request-Method](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method) header for `403` responses. Determines the allowed request methods for the resource. Default: `"GET, POST, PUT, DELETE, OPTIONS"` |
+| CORS_HEADER_403_CONTENT_TYPE | The value of the  `Content-Type` header for `403` responses. Default: (`"text/plain"`) |
+| CORS_HEADER_403_MAX_AGE | The value of the [Access-Control-Max-Age](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age) header for `403` responses. The number of seconds that preflight requests for this resource may be cached by the browser. (Default: `3600`) |
 | DNS_SERVER  | A string indicating the name servers used to resolve names of upstream servers into addresses. For localhost backend this value should not be defined (Default: _not defined_) |
 | KEEPALIVE_TIMEOUT  | Number of seconds for a keep-alive client connection to stay open on the server side (Default: `60s`) |
 | NGINX_ALWAYS_TLS_REDIRECT | A string value indicating if http should redirect to https (Allowed values: `on`, `off`. Default: `off`) |

nginx/Dockerfile

@@ -114,6 +114,11 @@ LABEL maintainer="Felipe Zipitria <[email protected]>"
 ENV \
     ACCESSLOG=/var/log/nginx/access.log \
     BACKEND=http://localhost:80 \
+    CORS_HEADER_403_ALLOW_ORIGIN="*" \
+    CORS_HEADER_403_ALLOW_METHODS="GET, POST, PUT, DELETE, OPTIONS" \
+    CORS_HEADER_403_CONTENT_TYPE="text/plain" \
+    CORS_HEADER_403_MAX_AGE=3600 \
+    CORS_HEADER_ACCESS_CONTROL_ALLOW_HEADERS="*" \
     DNS_SERVER= \
     ERRORLOG=/var/log/nginx/error.log \
     KEEPALIVE_TIMEOUT=60s \

nginx/Dockerfile-alpine

@@ -107,6 +107,11 @@ LABEL maintainer="Felipe Zipitria <[email protected]>"
 ENV \
     ACCESSLOG=/var/log/nginx/access.log \
     BACKEND=http://localhost:80 \
+    CORS_HEADER_403_ALLOW_ORIGIN="*" \
+    CORS_HEADER_403_ALLOW_METHODS="GET, POST, PUT, DELETE, OPTIONS" \
+    CORS_HEADER_403_CONTENT_TYPE="text/plain" \
+    CORS_HEADER_403_MAX_AGE=3600 \
+    CORS_HEADER_ACCESS_CONTROL_ALLOW_HEADERS="*" \
     DNS_SERVER= \
     ERRORLOG=/var/log/nginx/error.log \
     KEEPALIVE_TIMEOUT=60s \

nginx/templates/conf.d/default.conf.template

@@ -62,6 +62,7 @@ server {
     location / {
         client_max_body_size 0;
 
+        include includes/cors.conf;
         include includes/proxy_backend.conf;
 
         index index.html index.htm;

nginx/templates/includes/cors.conf.template

@@ -0,0 +1,5 @@
+more_set_headers -s 403 'Content-Type' '${CORS_HEADER_403_CONTENT_TYPE}';
+more_set_headers -s 403 'Access-Control-Allow-Origin' '${CORS_HEADER_403_ALLOW_ORIGIN}';
+more_set_headers -s 403 'Access-Control-Max-Age' '${CORS_HEADER_403_MAX_AGE}';
+more_set_headers -s 403 'Access-Control-Allow-Methods' '${CORS_HEADER_403_ALLOW_METHODS}';
+more_set_headers 'Access-Control-Allow-Headers' '${CORS_HEADER_ACCESS_CONTROL_ALLOW_HEADERS}';

nginx/templates/nginx.conf.template

@@ -1,4 +1,6 @@
 load_module modules/ngx_http_modsecurity_module.so;
+# allows to add cors headers when replying with 403
+load_module modules/ngx_http_headers_more_filter_module.so;
 
 worker_processes auto;
 pid /tmp/nginx.pid;