foxhound87
3/19/2016 - 9:02 PM

This is an nginx configuration that does the following: - Implements a RESTful API using CORS between `example.com` and `api.example.com`

This is an nginx configuration that does the following:

  • Implements a RESTful API using CORS between example.com and api.example.com
  • Uses SSL
  • Reverse-proxies SSL traffic from port 443 to a NodeJS application running on port 8000

Adapted from this page, with thanks to the original author: http://enable-cors.org/server_nginx.html

# Configure the reverse-proxy on port 443
server {
  # general configs
  keepalive_timeout    30;
  listen               127.0.0.1:443 ssl;
  server_name          api.example.com;

  # ssl configs
  ssl_certificate      /path/to/api.crt;
  ssl_certificate_key  /path/to/api.key;
  ssl_session_cache    shared:SSL:10m;
  ssl_session_timeout  10m;

  # proxy to the nodejs applciation
  location / {

    # handle OPTIONS requests
    # @note: don't try to DRY out this "if" block, or you're gonna have a bad time.
    # @see: http://wiki.nginx.org/IfIsEvil
    if ($request_method = 'OPTIONS') {
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Headers'     'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
      add_header 'Access-Control-Allow-Methods'     'GET, DELETE, OPTIONS, POST, PUT';
      add_header 'Access-Control-Allow-Origin'      'https://example.com';
      add_header 'Access-Control-Max-Age'           2592000;
      add_header 'Content-Length'                   0;
      add_header 'Content-Type'                     'text/plain charset=UTF-8';
      return 204;
    }

    # proxy to the nodejs application
    client_max_body_size 64G;
    proxy_pass   http://127.0.0.1:8000;

    # send the CORS headers
    add_header 'Access-Control-Allow-Credentials' 'true';
    add_header 'Access-Control-Allow-Origin'      'https://example.com';

    # set additional security headers
    add_header 'Cache-Control'                    'no-cache, no-store, must-revalidate';
    add_header 'Content-Security-Policy'          'connect-src example.com';
    add_header 'Expires'                          '0';
    add_header 'Pragma'                           'no-cache';
    add_header 'Strict-Transport-Security'        'max-age=31536000; includeSubDomains';
    add_header 'X-Content-Type-Options'           'nosniff';
    add_header 'X-Frame-Options'                  'DENY';
    add_header 'X-XSS-Protection'                 '1; mode=block';
  }

  # logs paths
  access_log /path/to/access.log;
  error_log  /path/to/error.log;
}

# Rewrite all trafic on port 80 to 443
server {
  listen         127.0.0.1:80;
  server_name    api.example.com;
  rewrite        ^ https://$server_name:8000$request_uri? permanent;
}