Webinoly is just the perfect tool for NGINX experts. Give it a try!
Ask a Question

Problem with Nginx and "header contains multiple values"

0 votes
4.6k views
by Rookie

I needs to enable cors policy to reach to my api, i did the following configuration on my nginx server file:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name api.domain.com;

    location / {

       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header Host $host;
       proxy_pass http://my_ip:6869/;

        set $ref "*";
        if ($http_referer ~* ^(http?\:\/\/)(.*?)\/(.*)$) {
          set $ref $1$2;
        }
        add_header 'Access-Control-Allow-Origin' $ref always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,signature,timestamp' always;
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;

    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/api.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/api.domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

But i keep getting the following error:

Access to fetch at 'https://api.domain.com/data/key?matches=^art(.*)' from origin 'http://localhost:3500' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, http://localhost:3500', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

It seem that the add_header is adding on top of an already set header for Access-Control-Allow-Origin * but i only have this config file and don't see anywhere else where it could come from.

Is there a way to figure out what is setting the initial header cors policy or simply override it instead of adding to it?

Thank you in advance.

1 Answer

0 votes
by Expert

This forum is only for Webinoly users!

By the way, you should not use that code in production environment. For your particular question, see the "ref" variable you are setting.

Welcome to the Community site for Webinoly.

Our Optimized LEMP Web Server is a powerful set of commands for doing just about anything you could wish.

With Webinoly you can set up your NGINX web server in just one step.

* * * * * * *

To report a bug, please create a new issue on GitHub or ask a question here with the bug tag.

Related questions

Webinoly Support Paypal Donations

PayPal · GitHub Sponsors · Bitcoin

Snow Theme by Q2A Market
Powered by Question2Answer

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...