Okey, I finally figured out a way. For anyone in the future:
The problem was that basicauth
protected the pre-flight OPTIONS
request made by the browser (Postman doesn’t make this OPTIONS
request), but it couldn’t send the Authorization header before the servers CORS policy had responded. In other words the CORS policy was protected behind basicauth but couldn’t be authorized before the pre-flight response returned HTTP OK status.
What I did then was that I made basicauth
only protect everything except OPTIONS
requests. Here is my Caddyfile
which now completely seems to work. Feel free to let me know if there’s something wrong with this approach
api.velosity.co
@options {
method OPTIONS
}
@other {
not method OPTIONS
}
handle @options {
respond 204
header Access-Control-Allow-Headers Authorization
header Access-Control-Allow-Origin *
}
basicauth @other {
username <hashed-password>
}
reverse_proxy <server-ip-address>:2019 {
header_down Access-Control-Allow-Headers *
header_down Access-Control-Allow-Origin *
header_up Origin <secret-origin-token>
}