Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS (403 Errors) when OPTIONS requests sent #860

Open
theophileds opened this issue Jan 23, 2024 · 0 comments
Open

CORS (403 Errors) when OPTIONS requests sent #860

theophileds opened this issue Jan 23, 2024 · 0 comments

Comments

@theophileds
Copy link

theophileds commented Jan 23, 2024
edited

Issue:
We're encountering CORS problems with Mercure-Hub. Our JavaScript frontend code is encountering 403 errors when sending OPTIONS requests to Mercure. However, subsequent requests are functioning correctly.

The frontend part use the following endpoint:
https://www.domain.com/.well-known/mercure?topic=%2F740127%2Fnotification

Environment:

  • Mercure Image: dunglas/mercure:v0.14.10
  • Configuration: 
    GLOBAL_OPTIONS: |-
  debug
  admin 0.0.0.0:2019
MERCURE_EXTRA_DIRECTIVES: |
  cors_origins https://www.domain.com
  transport_url local://local
  ui
MERCURE_PUBLISHER_JWT_ALG: RS256
MERCURE_SUBSCRIBER_JWT_ALG: RS256
SERVER_NAME: www.domain.com:80
  • Generated Nginx configuration from Ingress Controller:
server {
        server_name www.domain.com ;

        listen 80  ;
        listen [::]:80  ;
        listen 443  ssl http2 ;
        listen [::]:443  ssl http2 ;

        set $proxy_upstream_name "-";

        ssl_certificate_by_lua_block {
                certificate.call()
        }

        location / {

                set $namespace      "dev-namespace";
                set $ingress_name   "mercure-hub";
                set $service_name   "mercure-hub";
                set $service_port   "80";
                set $location_path  "/";
                set $global_rate_limit_exceeding n;

                rewrite_by_lua_block {
                        lua_ingress.rewrite({
                                force_ssl_redirect = true,
                                ssl_redirect = true,
                                force_no_ssl_redirect = false,
                                preserve_trailing_slash = false,
                                use_port_in_redirects = false,
                                global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
                        })
                        balancer.rewrite()
                        plugins.run()
                }

                # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
                # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
                # other authentication method such as basic auth or external auth useless - all requests will be allowed.
                #access_by_lua_block {
                #}

                header_filter_by_lua_block {
                        lua_ingress.header()
                        plugins.run()
                }

                body_filter_by_lua_block {
                        plugins.run()
                }

                log_by_lua_block {
                        balancer.log()

                        monitor.call()

                        plugins.run()
                }

                port_in_redirect off;

                set $balancer_ewma_score -1;
                set $proxy_upstream_name "dev-namespace-mercure-hub-80";
                set $proxy_host          $proxy_upstream_name;
                set $pass_access_scheme  $scheme;

                set $pass_server_port    $server_port;

                set $best_http_host      $http_host;
                set $pass_port           $pass_server_port;

                set $proxy_alternative_upstream_name "";

                client_max_body_size                    20m;

                proxy_set_header Host                   $best_http_host;

                # Pass the extracted client certificate to the backend

                # Allow websocket connections
                proxy_set_header                        Upgrade           $http_upgrade;

                proxy_set_header                        Connection        $connection_upgrade;

                proxy_set_header X-Request-ID           $req_id;
                proxy_set_header X-Real-IP              $remote_addr;

                proxy_set_header X-Forwarded-For        $remote_addr;

                proxy_set_header X-Forwarded-Host       $best_http_host;
                proxy_set_header X-Forwarded-Port       $pass_port;
                proxy_set_header X-Forwarded-Proto      $pass_access_scheme;
                proxy_set_header X-Forwarded-Scheme     $pass_access_scheme;

                proxy_set_header X-Scheme               $pass_access_scheme;

                # Pass the original X-Forwarded-For
                proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

                # mitigate HTTPoxy Vulnerability
                # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
                proxy_set_header Proxy

Additional Details:
We have also attempted to enable dev mode without success:

/usr/bin/caddy run --config /etc/caddy/Caddyfile.dev

Question:

Is there a misconfiguration in our setup that could be causing this issue?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@theophileds