CORS - Origin, getting referrer

Mike_Valstar · March 31, 2020, 6:05pm

1. My Caddy version (`caddy version`):

2.0 beta 20

2. How I run Caddy:

/var/www/caddy/caddy run --config /var/www/caddy/Caddyfile --resume --environ

a. System environment:

Ubuntu, systemd

d. My complete Caddyfile or JSON config:

# PTO API
api.pto.stage.example.com {
        tls email@example.com
        encode gzip
        reverse_proxy http://172.31.33.111:9003
        header {   
                Access-Control-Allow-Credentials true
                Access-Control-Allow-Headers Cache-Control,Content-Type
                Access-Control-Allow-Origin {http.request.header.Referer}
        }
}

3. The problem I’m having:

In the above config I’m attempting to set the Access-Control-Allow-Origin to be variable based on the user’s origin. I have 3 sites that need access to the API, however to have credentials allowed you cannot use * it needs to specify the domain.

With caddy 1, you were able to specify a list with the cors plugin, I’m trying to figure out how to replicate a similar functionality

4. Error messages and/or full log output:

N/A

5. What I already tried:

I’ve checked out the variables here JSON Config Structure - Caddy Documentation and have tried using the http.request.header.Referer value, however that will be the complete URL and I need just the host portion.

If a new variable needs to be added for this I would suggest http.request.origin

6. Links to relevant resources:

matt · March 31, 2020, 6:47pm

Thanks for the question! Can you file an issue to request this feature? Then I won’t forget about it. Sign in to GitHub · GitHub

Mike_Valstar · March 31, 2020, 6:49pm

done: Ddd origin as a variable for CORS settings · Issue #3206 · caddyserver/caddy · GitHub

matt · March 31, 2020, 8:29pm

Don’t you want the Origin header instead?

Mike_Valstar · March 31, 2020, 8:34pm

alright must have been a brain fart on my end… I thought I had tried that and was also having issues.

I’ll check we get that on the OPTIONS request as well as the GET/POST/Whatever

Mike_Valstar · April 1, 2020, 1:19pm

Yeah, you’re right, I must have made a typo or something while trying it.

I think an alias for this might still be helpful thou in restricting the list of domains. right now i’m using rewrite based on the filters to redirect those with a bad origin.

matt · April 1, 2020, 4:14pm

Great, so, does it work for you now? What kind of alias are you referring to?

Can you share? I want to see!

system · May 1, 2020, 4:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.