Web Service CORS Configuration
Your cue-web
application is now running on the
nginx default port, 81. In order to be able to run correctly it needs
to be able to send requests to the
CUE Content Store's
web service. This web service may possibly be running on a different
host in a different domain. Even if it is running on the same host as
nginx, it will most likely be listening on port 8080 (Tomcat's default
port). This means that by default any requests from the
cue-web
application to the
Content Store
web service will be rejected as cross-origin scripting exploits.
You can, however, enable cross-origin communication between the
cue-web
application and the
Content Store
web service by setting up an nginx proxy for the web service that
redirects requests to the actual web service and also adds the
CORS
headers needed to ensure that the requests will not be rejected.
Here is an example of a suitable
/etc/nginx/default-site/webservice.conf
:
location ~ "/(escenic|studio|webservice|webservice-extensions)/(.*)" { if ($http_origin ~* (https?://[^/]*\.dev\.my-cue-domain\.com(:[0-9]+)?)$) { set $cors "true"; } if ($request_method = 'OPTIONS') { set $cors "${cors}options"; } if ($request_method = 'GET') { set $cors "${cors}get"; } if ($request_method = 'HEAD') { set $cors "${cors}get"; } if ($request_method = 'POST') { set $cors "${cors}post"; } if ($request_method = 'PUT') { set $cors "${cors}post"; } if ($request_method = 'DELETE') { set $cors "${cors}post"; } if ($cors = "trueget") { add_header "Access-Control-Allow-Origin" "$http_origin" always; add_header "Access-Control-Allow-Credentials" "true" always; add_header "Access-Control-Expose-Headers" "Link,X-ECE-Active-Connections,Location,ETag,Allow" always; } if ($cors = "truepost") { add_header "Access-Control-Allow-Origin" "$http_origin" always; add_header "Access-Control-Allow-Credentials" "true" always; add_header "Access-Control-Expose-Headers" "Link,X-ECE-Active-Connections,Location,ETag" always; } if ($cors = "trueoptions") { add_header 'Access-Control-Allow-Origin' "$http_origin"; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD, OPTIONS, PUT, DELETE'; add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,If-Match,If-None-Match,X-Escenic-Locks,X-Escenic-media-filename,X-Escenic-home-section-uri,X-Escenic-Container-Destinations'; add_header 'Content-Length' 0; add_header 'Content-Type' 'text/plain charset=UTF-8'; return 204; } proxy_set_header Host $http_host; proxy_pass http://127.0.0.1:8080; }
In the origin filter at the top of the file:
if ($http_origin ~* (https?://[^/]*\.dev\.my-cue-domain\.com(:[0-9]+)?)$) { set $cors "true"; }
you must replace
my-cue-domain\.
com
with the actual domain name of your
CUE
installation.