How do I configure `Access-Control-Allow-Origin` with rails, nginx and passenger? -
i cannot access-control-allow-origin show in chrome - ultimate goal configure cors fonts rails, works in production cloudfront. though, want work in development. can see header via curl, not chrome.
i using rails 4.0, , have tried of following...
i have configured gemfile , application.rb per the rack-cors example rails 4:
gemfile
gem 'rack-cors', '~> 0.2.9', require: 'rack/cors' config/application.rb
config.middleware.insert_before 'actiondispatch::static', 'rack::cors' allow origins '*' resource '*', :headers => :any, :methods => [:get, :options, :head] end end rails console
2.0.0-p481 :001 > rails.env => "development" 2.0.0-p481 :002 > hello::application.config.serve_static_assets => true bash
curl -i http://localhost:5000/assets/opensans-regular-webfont.woff content-type: application/font-woff content-length: 22660 connection: keep-alive status: 200 ok cache-control: public, must-revalidate last-modified: wed, 30 apr 2014 23:51:57 gmt etag: "467b34801137bd4031e139839ad86370" x-request-id: c4b07b4d-1c43-44ea-9565-dfda66378f98 x-runtime: 0.046007 x-powered-by: phusion passenger 4.0.50 date: sat, 20 sep 2014 04:39:38 utc server: nginx/1.6.1 + phusion passenger 4.0.50 curl -i -h "origin: http://localhost:5000" http://localhost:5000/assets/opensans-regular-webfont.woff content-type: application/font-woff content-length: 22660 connection: keep-alive status: 200 ok cache-control: public, must-revalidate last-modified: wed, 30 apr 2014 23:51:57 gmt etag: "467b34801137bd4031e139839ad86370" access-control-allow-origin: http://localhost:5000 # adding access-control-allow-methods: get, options, head # -h access-control-max-age: 1728000 # produced access-control-allow-credentials: true # these vary: origin # headers x-request-id: b9666f30-416d-4b5b-946a-bdd432bc191c x-runtime: 0.050420 x-powered-by: phusion passenger 4.0.50 date: sat, 20 sep 2014 03:45:30 utc server: nginx/1.6.1 + phusion passenger 4.0.50 chrome (v37) developer tools > network > opensans-regular-webfont.woff > headers > response headers
http/1.1 304 not modified connection: keep-alive status: 304 not modified cache-control: no-cache x-request-id: ac153b8c-e0cb-489d-94dd-90aacc10d715 x-runtime: 0.116511 x-powered-by: phusion passenger 4.0.50 date: sat, 20 sep 2014 03:41:53 utc server: nginx/1.6.1 + phusion passenger 4.0.50 i tried following alternatives, per various sources:
config.middleware.insert_before 'actiondispatch::static', 'rack::cors' config.middleware.insert_after rails::rack::logger, rack::cors config.middleware.insert_before warden::manager, rack::cors config.middleware.insert 0, rack::cors config.middleware.use rack::cors i tried following applications.rb, per how display fontawesome in firefox using rails , cloudfront:
config.assets.header_rules = { :global => {'cache-control' => 'public, max-age=31536000'}, :fonts => {'access-control-allow-origin' => '*'} } i tried following in config.ru, per cloudfront cdn rails on heroku
require 'rack/cors' use rack::cors allow origins '*' resource '*', :headers => :any, :methods => :get end end bundle exec rake middleware
use rack::cors use rack::sendfile use actiondispatch::static use rack::lock use #<activesupport::cache::strategy::localcache::middleware:0x007f9ec21590b0> use rack::runtime use rack::methodoverride use actiondispatch::requestid use rails::rack::logger use actiondispatch::showexceptions use actiondispatch::debugexceptions use actiondispatch::remoteip use actiondispatch::reloader use actiondispatch::callbacks use activerecord::migration::checkpending use activerecord::connectionadapters::connectionmanagement use activerecord::querycache use actiondispatch::cookies use actiondispatch::session::cookiestore use actiondispatch::flash use actiondispatch::paramsparser use rack::head use rack::conditionalget use rack::etag use warden::manager use omniauth::strategies::facebook run hello::application.routes i tried font_assets no avail.
the server line made me think perhaps assets not being handled rails, rather nginx:
this means headers must added nginx, not rails, , therefore need configure nginx. turns out the ability configure nginx possible of passenger 4.0.39 - (here corresponding git diff). corresponding documentation available in passenger standalone, under advanced configuration.
an important note in documentation: the original configuration template file may change time time, e.g. because new features introduced phusion passenger. if configuration template file not contain required changes, these new features may not work properly. in worst case, standalone might malfunction. therefore, every time upgrade phusion passenger, should check whether original configuration template file has changed, , merge changes own file.
with respect note, in addition customizable copy of configuration file, create "original" copy can diff whenever upgrade passenger.
bash
cp $(passenger-config resourcesdir)/templates/standalone/config.erb config/nginx.conf.erb cp config/nginx.conf.erb config/nginx.conf.erb.original next, add --nginx-config-template config/nginx.conf.erb web line in procfile.
procfile
web: bundle exec passenger start -p $port --max-pool-size 3 --nginx-config-template config/nginx.conf.erb config/nginx.conf.erb
next, edit configuration file config/nginx.conf.erb finding block looks follows:
location @static_asset { gzip_static on; expires max; add_header cache-control public; add_header etag ""; } ...and add 2 access-control lines:
location @static_asset { gzip_static on; expires max; add_header cache-control public; add_header etag ""; add_header access-control-allow-origin *; add_header access-control-request-method *; } that's it. work in production, not in development, due config.assets differences between two.
the config diff
the diff should not return now, if future updates passenger include change file, know.
diff $(passenger-config resourcesdir)/templates/standalone/config.erb config/nginx.conf.erb.original nginx documentation
- http://nginx.org/en/docs/beginners_guide.html
- http://nginx.org/en/docs/http/ngx_http_core_module.html#location
future improvements
- restrict
allow-origin - restrict
request-method - restrict both headers fonts
Comments
Post a Comment