gateway: fix setting CORS headers, for real this time

License: MIT
Signed-off-by: Lars Gierth <[email protected]>

Author: Lars Gierth

ipfs/config.tpl

@@ -54,18 +54,10 @@
     "PathPrefixes": ["/blog", "/refs"],
     "RootRedirect": "",
     "Writable": false,
-    "HTTPHeaders": {
-      "Access-Control-Allow-Origin": ["*"],
-      "Access-Control-Allow-Methods": ["GET", "POST", "PUT"],
-      "Access-Control-Allow-Headers": ["X-Requested-With", "Range"]
-    }
+    "HTTPHeaders": {}
   },
   "API": {
-    "HTTPHeaders": {
-      "Access-Control-Allow-Origin": ["*"],
-      "Access-Control-Allow-Methods": ["GET", "POST", "PUT"],
-      "Access-Control-Allow-Headers": ["X-Requested-With", "Range"]
-    }
+    "HTTPHeaders": {}
   },
   "DialBlocklist": null,
   "Swarm": {

ipfs/gateway/nginx.conf

@@ -8,6 +8,10 @@ $(for h in $(lookup gateway_hosts); do
 done)
 }
 
+upstream ws_bootstrap {
+    server 127.0.0.1:8081;
+}
+
 # TODO set proper port in Host headers,
 #      we're just working around libp2p/go-ws-transport#8 for now.
 
@@ -20,6 +24,11 @@ server {
 
     include conf.d/gateway/denylist.conf;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     proxy_pass_header Server;
     proxy_read_timeout 1800s;
 
@@ -39,6 +48,11 @@ server {
 
     include conf.d/gateway/denylist.conf;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     proxy_pass_header Server;
     proxy_read_timeout 1800s;
 
@@ -62,6 +76,11 @@ server {
 
     include conf.d/gateway/denylist.conf;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     proxy_pass_header Server;
     proxy_read_timeout 1800s;
 
@@ -87,6 +106,11 @@ server {
     # 31536000 seconds = 12 months, as advised by hstspreload.org
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     include conf.d/gateway/denylist.conf;
 
     proxy_pass_header Server;
@@ -114,6 +138,11 @@ server {
     # 31536000 seconds = 12 months, as advised by hstspreload.org
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     include conf.d/gateway/denylist.conf;
 
     proxy_pass_header Server;
@@ -147,6 +176,152 @@ server {
     }
 }
 
+server {
+    server_name $(var pages_bootstrap_hostname).bootstrap.libp2p.io;
+    access_log /var/log/nginx/access.log mtail;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/bootstrap.libp2p.io.crt;
+    ssl_certificate_key /etc/nginx/certs/bootstrap.libp2p.io.key;
+    ssl_dhparam /etc/nginx/certs/bootstrap.libp2p.io.dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/bootstrap.libp2p.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
+    location / {
+        proxy_set_header Host $(var pages_bootstrap_hostname).bootstrap.libp2p.io:443;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection \$http_connection;
+        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
+        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
+        proxy_pass http://ws_bootstrap;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+}
+
+server {
+    server_name *.preload.ipfs.io;
+    access_log /var/log/nginx/access.log mtail;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/preload.ipfs.io.crt;
+    ssl_certificate_key /etc/nginx/certs/preload.ipfs.io.key;
+    ssl_dhparam /etc/nginx/certs/preload.ipfs.io.dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/preload.ipfs.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
+    location /ipfs {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /ipns {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /api {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location / {
+        proxy_set_header Host \$host:80;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection \$http_connection;
+        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
+        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
+        proxy_pass http://ws_bootstrap;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+}
+
+server {
+    server_name js.ipfs.io;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/ipfs.io.crt;
+    ssl_certificate_key /etc/nginx/certs/ipfs.io.key;
+    ssl_dhparam /etc/nginx/certs/dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/ipfs.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
+    location / {
+        proxy_set_header Host \$host;
+        # The gateway upstream is defined in the gateway.conf.
+        proxy_pass http://gateway;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+
+    location ~ "^/(ipfs|ipns)(/|$)" {
+        proxy_set_header Host "";
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+}
+
+server {
+    server_name *.i.ipfs.io;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/i.ipfs.io.crt;
+    ssl_certificate_key /etc/nginx/certs/i.ipfs.io.key;
+    ssl_dhparam /etc/nginx/certs/i.ipfs.io.dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/i.ipfs.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
+    location / {
+        proxy_set_header Host "";
+        # The gateway upstream is defined in the gateway.conf.
+        proxy_pass http://gateway;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+}
+
 server {
     server_name *.ipfs.dweb.link *.ipns.dweb.link;
     access_log /var/log/nginx/access.log mtail;
@@ -156,6 +331,11 @@ server {
 
     include conf.d/gateway/denylist.conf;
 
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
+    add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
+
     proxy_pass_header Server;
     proxy_read_timeout 1800s;
 

ipfs/pages/nginx.conf.tpl

@@ -1,5 +1,5 @@
 server {
-    server_name *.i.ipfs.io beta.docs.ipfs.io filecoin.io orbit.chat ipld.io libp2p.io multiformats.io zcash.dag.ipfs.io wikipedia-on-ipfs.org en.wikipedia-on-ipfs.org tr.wikipedia-on-ipfs.org simple.wikipedia-on-ipfs.org ar.wikipedia-on-ipfs.org ku.wikipedia-on-ipfs.org datatogether.org saftproject.com www.saftproject.com saft-project.com www.saft-project.com saft-project.org www.saft-project.org peerpad.net flipchart.peerpad.net;
+    server_name beta.docs.ipfs.io filecoin.io orbit.chat ipld.io libp2p.io multiformats.io zcash.dag.ipfs.io wikipedia-on-ipfs.org en.wikipedia-on-ipfs.org tr.wikipedia-on-ipfs.org simple.wikipedia-on-ipfs.org ar.wikipedia-on-ipfs.org ku.wikipedia-on-ipfs.org datatogether.org saftproject.com www.saftproject.com saft-project.com www.saft-project.com saft-project.org www.saft-project.org peerpad.net flipchart.peerpad.net;
     access_log /var/log/nginx/access.log mtail;
 
     listen 80;
@@ -18,30 +18,6 @@ server {
     return 301 https://protocol.ai\$request_uri;
 }
 
-server {
-    server_name *.i.ipfs.io;
-    access_log /var/log/nginx/access.log mtail;
-
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    ssl_certificate /etc/nginx/certs/i.ipfs.io.crt;
-    ssl_certificate_key /etc/nginx/certs/i.ipfs.io.key;
-    ssl_dhparam /etc/nginx/certs/i.ipfs.io.dhparam.pem;
-    ssl_trusted_certificate /etc/nginx/certs/i.ipfs.io.trustchain.crt;
-
-    # HSTS (ngx_http_headers_module is required)
-    # 31536000 seconds = 12 months, as advised by hstspreload.org
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-    location / {
-        proxy_set_header Host "";
-        # The gateway upstream is defined in the ipfs/gateway unit.
-        proxy_pass http://gateway;
-        proxy_pass_header Server;
-        proxy_read_timeout 60s;
-    }
-}
-
 server {
     server_name beta.docs.ipfs.io;
     access_log /var/log/nginx/access.log mtail;
@@ -114,84 +90,6 @@ server {
     }
 }
 
-upstream ws_bootstrap {
-    server 127.0.0.1:8081;
-}
-
-server {
-    server_name $(var pages_bootstrap_hostname).bootstrap.libp2p.io;
-    access_log /var/log/nginx/access.log mtail;
-
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    ssl_certificate /etc/nginx/certs/bootstrap.libp2p.io.crt;
-    ssl_certificate_key /etc/nginx/certs/bootstrap.libp2p.io.key;
-    ssl_dhparam /etc/nginx/certs/bootstrap.libp2p.io.dhparam.pem;
-    ssl_trusted_certificate /etc/nginx/certs/bootstrap.libp2p.io.trustchain.crt;
-
-    # HSTS (ngx_http_headers_module is required)
-    # 31536000 seconds = 12 months, as advised by hstspreload.org
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-    location / {
-        proxy_set_header Host $(var pages_bootstrap_hostname).bootstrap.libp2p.io:443;
-        proxy_set_header Upgrade \$http_upgrade;
-        proxy_set_header Connection \$http_connection;
-        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
-        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
-        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
-        proxy_pass http://ws_bootstrap;
-        proxy_pass_header Server;
-        proxy_read_timeout 60s;
-    }
-}
-
-server {
-    server_name *.preload.ipfs.io;
-    access_log /var/log/nginx/access.log mtail;
-
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    ssl_certificate /etc/nginx/certs/preload.ipfs.io.crt;
-    ssl_certificate_key /etc/nginx/certs/preload.ipfs.io.key;
-    ssl_dhparam /etc/nginx/certs/preload.ipfs.io.dhparam.pem;
-    ssl_trusted_certificate /etc/nginx/certs/preload.ipfs.io.trustchain.crt;
-
-    # HSTS (ngx_http_headers_module is required)
-    # 31536000 seconds = 12 months, as advised by hstspreload.org
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-    location /ipfs {
-        proxy_set_header Host \$host:443;
-        proxy_set_header X-Ipfs-Gateway-Prefix "";
-        proxy_pass http://gateway;
-    }
-
-    location /ipns {
-        proxy_set_header Host \$host:443;
-        proxy_set_header X-Ipfs-Gateway-Prefix "";
-        proxy_pass http://gateway;
-    }
-
-    location /api {
-        proxy_set_header Host \$host:443;
-        proxy_set_header X-Ipfs-Gateway-Prefix "";
-        proxy_pass http://gateway;
-    }
-
-    location / {
-        proxy_set_header Host \$host:80;
-        proxy_set_header Upgrade \$http_upgrade;
-        proxy_set_header Connection \$http_connection;
-        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
-        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
-        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
-        proxy_pass http://ws_bootstrap;
-        proxy_pass_header Server;
-        proxy_read_timeout 60s;
-    }
-}
-
 server {
     server_name ipld.io;
     access_log /var/log/nginx/access.log mtail;

nginx/nginx.conf

@@ -64,6 +64,8 @@ http {
     proxy_buffering off;
     proxy_buffer_size 4k;
     proxy_temp_path /tmp/nginx;
+    proxy_hide_header Access-Control-Allow-Headers;
+    proxy_hide_header Access-Control-Expose-Headers;
 
     include /etc/nginx/conf.d/*.conf;
 }