Enhance CORS configuration in nginx.conf

BotellaA · web-flow · commit faba15272c74 · 2026-04-08T20:03:37.000+02:00
Added CORS headers for OPTIONS requests and updated max age.
diff --git a/nginx.conf b/nginx.conf
@@ -3,11 +3,12 @@ events {
 }
 
 http {
+  # Map only allows your geode-solutions.com domains (including next.vease.geode-solutions.com)
   map $http_origin $allow_origin {
-      ~^https://(.*\.)?geode-solutions\.com$  $http_origin;
-      default                                  "";
+    ~^https://(.*\.)?geode-solutions\.com$  $http_origin;
+    default "";
   }
-  
+
   gzip on;
   gzip_proxied any;
   gzip_types text/plain application/json;
@@ -16,51 +17,56 @@ http {
   server {
     listen 80;
     server_name localhost;
-
     client_max_body_size 0;
 
-    location / {
-      if ($request_method = OPTIONS) {
+    # ====================== /geode/ location ======================
+    location ~ "^/geode/" {
+      # Preflight OPTIONS - handled by nginx (fast, no hit to Flask)
+      if ($request_method = 'OPTIONS') {
         add_header 'Access-Control-Allow-Origin'      $allow_origin always;
         add_header 'Access-Control-Allow-Credentials' 'true' always;
         add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
         add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
-        add_header 'Access-Control-Max-Age'           86400 always;
-        add_header 'Vary'                             'Origin' always;
-        add_header 'Content-Type'                     'text/plain; charset=utf-8' always;
-        add_header 'Content-Length'                   0 always;
+        add_header 'Access-Control-Max-Age'           1728000 always;   # 20 days
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
         return 204;
       }
-      return 404;
-    }
-    
-    location ~ "^/geode/" {
-      limit_except DELETE GET POST PUT OPTIONS {
-        deny all;
-      }
-    
+
+      # Normal requests
+      limit_except DELETE GET POST PUT OPTIONS { deny all; }
+
       add_header 'Access-Control-Allow-Origin'      $allow_origin always;
       add_header 'Access-Control-Allow-Credentials' 'true' always;
       add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
       add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
       add_header 'Access-Control-Expose-Headers'    'Content-Length,Content-Range' always;
       add_header 'Vary'                             'Origin' always;
-        
+
       rewrite "^/geode/(.*)" /$1 break;
       proxy_pass http://localhost:5000;
       proxy_http_version 1.1;
-      
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    # ====================== /viewer/ location ======================
     location ~ "^/viewer/" {
-      limit_except GET POST OPTIONS {
-        deny all;
+      if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+        add_header 'Access-Control-Max-Age'           1728000 always;
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
+        return 204;
       }
-      
+
+      limit_except GET POST OPTIONS { deny all; }
+
       add_header 'Access-Control-Allow-Origin'      $allow_origin always;
       add_header 'Access-Control-Allow-Credentials' 'true' always;
       add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
@@ -71,14 +77,31 @@ http {
       rewrite "^/viewer/(.*)" /$1 break;
       proxy_pass http://localhost:1234;
       proxy_http_version 1.1;
-      
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
-
       proxy_set_header Connection "keep-alive, Upgrade";
       proxy_set_header Upgrade websocket;
     }
+
+    # Catch-all for anything else (optional, returns proper CORS even on 404)
+    location / {
+      if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+        add_header 'Access-Control-Max-Age'           1728000 always;
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
+        return 204;
+      }
+
+      add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+      add_header 'Access-Control-Allow-Credentials' 'true' always;
+      add_header 'Vary'                             'Origin' always;
+      return 404;
+    }
   }
 }
