We have configured the kubernetes environment for our application. Which has one master, two slaves and nginx is using as a webserver. While access the url of our application, getting the cors error. I have followed kubernetes document(https://kubernetes.io/docs/tasks/access-application-cluster/connecting-frontend-backend/) for setting connection between backend and fronend, you can find all those details below. Here am not mentioning the full details of the yamls files and please let know if am missing anything.
This is the error am getting.
Access to XMLHttpRequest at 'http://andy.fin.com:9090/configuration/api/v1/configuration' from origin 'http://172.16.198.102:32603' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.#nginx configuration
upstream zuul {
server zuul;
}
location / {
proxy_pass http://andy.fin.com:9090/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "http";
proxy_set_header Origin "http://localhost:32603";
proxy_set_header Referer "http://localhost:32603";
proxy_hide_header 'Access-Control-Allow-Origin';
}
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: zuul
tier: frontend
replicas: 1
template:
metadata:
labels:
app: zuul
tier: frontend
spec:
containers:
- name: nginx
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: frontend
spec:
selector:
app: zuul
tier: frontend
ports:
- protocol: "TCP"
port: 80
targetPort: 80
type: LoadBalancerapiVersion: apps/v1
kind: Deployment
metadata:
name: zuul-routing
spec:
selector:
matchLabels:
app: zuul
tier: backend
replicas: 1
template:
metadata:
labels:
app: zuul
tier: backend
spec:
containers:
- env:
---
apiVersion: v1
kind: Service
metadata:
name: zuul
spec:
selector:
app: zuul
tier: backend
ports:
- protocol: TCP
port: 9090
targetPort: httpBasically you need at some point make the following decion:
Is the given Origin allowed to access the requested content?
You can answer that question in the reverse proxy, in the endpoints webserver or in the application's logic. Advanced: Combine those and make decisions in multiple places. Just be careful, not to overwrite previously set headers unintentionally.
Is the answer yes?
Then, the header must be set in a URI style containing:
http[s]://<trusted_origin_domain>[:port] From your question, it is not clear, at which point you setup the logic and set the information accordingly.
For simplicity, you could start of by letting nginx send the correct header. It is important not to mix up headers sent to the node, and headers sent to the client.
If you have the CORS implementation in the application, you should pass the parameters (trusted origin) via environment or in a buildstep or in similiar stage.
Chose a way that allows you to scale as much as neccessary, while consuming as little time as possible.
Looking at closer at your specific problem
It seems that your decision making in the application and in nginx are overlapping.
Side note concerning HTTPS
You might be leaking unencrypted http traffic when forwarding through the internet without having further DNS and VPN setup.
The header sent to the browser must look exactly lke this in your case:
Access-Control-Allow-Origin: http://172.16.198.102:32603As you are overwriting Referer and Origin, the whole security is not working:
proxy_set_header Origin "http://localhost:32603";
proxy_set_header Referer "http://localhost:32603";Remove those.
You are blocking the concerning CORS header from reaching the browser:
proxy_hide_header 'Access-Control-Allow-Origin';Remove that as well.