new nginx conf

2025-09-26 09:53:29 +03:00 · 2025-09-26 09:53:29 +03:00 · dc6579a20b
parent 23ef27c95b
commit dc6579a20b
1 changed files with 30 additions and 10 deletions
--- a/nginx.conf
+++ b/nginx.conf
@ -27,6 +27,13 @@ map $http_upgrade $connection_upgrade {
    '' close;
 }

+# CORS: reflect Origin if present (fixes credentials-mode restriction)
+# If no Origin header -> do not send A-C-A-Origin
+map $http_origin $cors_origin {
+    ""                          "";
+    ~^https?://[^/]+$           $http_origin;
+}
+
 server {
    listen 80;
    server_name my-public-node-8.projscale.dev;
@ -49,7 +56,7 @@ server {
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
-    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable after confirming HTTPS only
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Общие параметры для стабильности и больших файлов
    client_max_body_size 10G;
@ -69,10 +76,12 @@ server {
    add_header Referrer-Policy strict-origin-when-cross-origin always;
    add_header X-Request-Id $req_id always;

-    # CORS (для API и префлайтов)
-    add_header Access-Control-Allow-Origin * always;
-    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PATCH, HEAD" always;
+    # CORS: apply globally; specific locations may add extra Expose/Allow lists
+    add_header Access-Control-Allow-Origin $cors_origin always;
+    add_header Access-Control-Allow-Credentials "true" always;
+    add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
    add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Tus-Resumable, tus-resumable, Upload-Length, upload-length, Upload-Offset, upload-offset, Upload-Metadata, upload-metadata, Upload-Defer-Length, upload-defer-length, Upload-Concat, upload-concat, x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id" always;
+    add_header Vary "Origin" always;

    # Статика фронтенда (SPA)
    location / {
@ -123,10 +132,14 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Request-Id $req_id;
-        add_header Access-Control-Allow-Origin * always;
+
+        # CORS for tus
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
        add_header Access-Control-Allow-Methods "GET, POST, PATCH, HEAD, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Tus-Resumable, Upload-Length, Upload-Offset, Upload-Metadata, Upload-Defer-Length, Upload-Concat" always;
        add_header Access-Control-Expose-Headers "Location, Upload-Offset, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension" always;
+        add_header Vary "Origin" always;

        if ($request_method = OPTIONS) { return 204; }
    }
@ -152,10 +165,14 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Request-Id $req_id;
-        add_header Access-Control-Allow-Origin * always;
+
+        # CORS for file GET/HEAD
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent" always;
        add_header Access-Control-Expose-Headers "Location, Upload-Offset, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension" always;
+        add_header Vary "Origin" always;

        if ($request_method = OPTIONS) { return 204; }
    }
@ -181,9 +198,12 @@ server {
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;

-        add_header Access-Control-Allow-Origin * always;
-        add_header Access-Control-Allow-Methods "GET, HEAD, OPTIONS" always;
-        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent" always;
+        # CORS for API
+        add_header Access-Control-Allow-Origin $cors_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+        add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
+        add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site" always;
+        add_header Vary "Origin" always;

        # Вебсокеты (на будущее)
        proxy_set_header Upgrade $http_upgrade;
@ -201,4 +221,4 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Request-Id $req_id;
    }
-}
+}