Avoid CORS with Nginx proxy_pass

I recently had to make cross origin AJAX requests (CORS), which was fine since I had control over the API server and simply adding these headers will make modern browsers ask the API server for permission and then make the request.

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,PUT,DELETE
Access-Control-Allow-Headers: Authorization, Lang

But, of course, Internet Explorer want to be a pita and IE 8 & 9 does not support this (a part of it is supported, check out this table). And I have to support IE 9 at least.

So, nginx to the rescue like many times in the past.

I want to configure Nginx to take local requests made to /api/ and forward those to the api located at http://apiserver.com.

This is what I have in Nginx since the website is up and running (for all browsers except IE 8&9).

server {
        charset UTF-8;
        listen 80;
        root /home/web/myclient;
        index index.html;
        server_name myclient.com;

        location ~ /\. {
                deny all;
        }

        location / {
                try_files $uri;
        }
}

It basically says: listen to myclient.com on port 80 and deny all requests made to files starting with a dot and serve all other files matching filenames from the dir /home/web/myclient.

Alright, lets change so calls starting with /api/ forwards the call to the API server (not including the /api/ part of the requested path). The trailing slash on the /api/ and proxy_pass http://api_server/; are important here.

We’re adding an upstream and a location block.

upstream api_server {
    server apiserver.com;
}

server {
        charset UTF-8;
        listen 80;
        root /home/web/myclient;
        index index.html;
        server_name myclient.com;

        location /api/ {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://api_server/;
                proxy_ssl_session_reuse off;
                proxy_set_header Host $http_host;
                proxy_redirect off;
        }

        location ~ /\. {
                deny all;
        }

        location / {
                try_files $uri;
        }
}

Now we just restart the server and it should work to make AJAX calls to http://myclient.com/api/users to get all users.