I'm trying to put CORS in a PHP api and got this error in my vhost error log
[Thu Jun 10 16:41:48.492129 2021] [core:alert] [pid 44869] [client 127.0.0.1:47408] /home/wardog1/work/gitlab/prodcalc/backend/api-accounts/codebase/php/.htaccess: Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
I'm using:
ubuntu 20
apache2
angular 8
I suspect it's some apache2 config missing
This is what I'm trying
RewriteEngine on
# Enable CORS
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type, COMPRODCALC_SESSION_ID"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
# Force to request 200 for options
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* / [R=200,L]
$ curl -v -X OPTIONS api-accounts.prodcalc.com
* Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to api-accounts.prodcalc.com (127.0.0.1) port 80 (#0)
> OPTIONS / HTTP/1.1
> Host: api-accounts.prodcalc.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 10 Jun 2021 19:50:41 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Content-Length: 623
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
webmaster#localhost to inform them of the time this error occurred,
and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at api-accounts.prodcalc.com Port 80</address>
</body></html>
* Closing connection 0
chrome console
Access to XMLHttpRequest at 'http://api-accounts.prodcalc.com/person/registerPerson' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Related
I've inherited a web-app hosted in Azure and it appears the staging environment CORS is not functioning like all other environments.
I'm fairly new to Azure administration and I've applied the CORS configuration on the API app service (previously had no config set) which did not resolve the issue.
You can compare the different environment general/response headers below.
Local Dev...
Request URL: http://localhost:3001/api/getstarted/plans?fetchExcluded=true
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:3001
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json; charset=utf-8
Date: Thu, 04 Nov 2021 21:55:22 GMT
Keep-Alive: timeout=5
Strict-Transport-Security: max-age=15552000; includeSubDomains
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Current Production...
Request URL: https://api.<webapp>.app/api/getstarted/plans?fetchExcluded=true
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: ##.###.###.###:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: *
Date: Thu, 04 Nov 2021 22:04:19 GMT
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
However in staging...
Request URL: https://<webapp>.azurewebsites.net/api/getstarted/plans?fetchExcluded=true
Request Method: OPTIONS
Status Code: 503 Service Temporarily Unavailable
Remote Address: ##.###.###.###:443
Referrer Policy: strict-origin-when-cross-origin
Content-Length: 398
Date: Thu, 04 Nov 2021 21:56:02 GMT
Server: nginx
and from debug console in staging...
- Access to XMLHttpRequest at
'https://<webapp>.azurewebsites.net/api/getstarted/plans?fetchExcluded=true'
from origin 'https://<webapp>.z8.web.core.windows.net' has been
blocked by CORS policy: Response to preflight request doesn't pass
access control check: No 'Access-Control-Allow-Origin' header is
present on the requested resource. xhr.js:178
- GET
https://<webapp>-api-staging.azurewebsites.net/api/getstarted/plans?fetchExcluded=true
net::ERR_FAILED
I've checked the Azure Subscription usage + quotas, and the only thing nearing quota is "Network Watchers"
The API framework is ExpressJS with CORS...
app.use(cors())
In my opinion the issue has nothing to do with CORS, well, better said,...
As you can see in the staging environment you are receiving a 503, service unavailable, HTTP status error code:
Status Code: 503 Service Temporarily Unavailable
So my guess is that the staging environment is not working properly by some reason, and the associated load balancer is returning a 503 error page, of course, without any CORS indication, and your browser is complaining due to the fact your API doesn't receive a valid response.
Please, review the status of the staging environment: once healthy, it probably will offer a proper response to your application.
Unfortunately the issue was not CORS at all; rather the server image was failing to build and compile due to ESNext JS syntax (server < ESNext)
I found the logstream API which allowed me to view all errors, for posterity you might be able to find the same; https://<webapp>.scm.azurewebsites.net/api/logstream
I have Linux EC2 instance when i am trying to download a file but getting 403
wget https://plugins.gradle.org/m2/org/springframework/data/spring-data-releasetrain/Moore-
SR1/spring-data-releasetrain-Moore-SR1.pom
Above giving me me HTTP 403 error.How should i trace where its blocking me to download ?
All proxies are set properly in my Ec2.
I tried traceroute but its not give me IPs. How to troubleshoot where its blocking me to download.
I have also open all outbound traffic in security group of EC2 but no luck.
Curl in debug mode give me below
$curl -v repo.jfrog.org
* About to connect() to proxy myproxy.xxx.com port 8080 (#0)
* Trying 1**.10*.**.**...
* Connected to myproxy.xxx.com (1**.10*.**.**) port 8080 (#0)
* Establish HTTP proxy tunnel to repo.jfrog.org:443
> CONNECT repo.jfrog.org:443 HTTP/1.1
> Host: repo.jfrog.org:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Proxy-Connection: Keep-Alive
< Connection: Keep-Alive
< Content-Length: 913
< X-RBT-SCAR: 10.1**.5.2**:1141466989:1000
<
* Received HTTP code 403 from proxy after CONNECT
* Connection #0 to host myproxy.xxx.com left intact
curl: (56) Received HTTP code 403 from proxy after CONNECT
So, I have to get http://www.rssweather.com/wx/in/kanpur/wx.php with using netcat.
My code goes like this.
nc -v rssweather.com 80
GET http://www.rssweather.com/wx/in/kanpur/wx.php HTTP/1.0
GET http://www.rssweather.com/wx/in/kanpur/wx.php HTTP/1.1
Connection: close
And, the result-
HTTP/1.1 403 Forbidden
Date: Thu, 03 Sep 2015 12:41:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
charset=iso-8859-1
You don't have permission to access /wx/in/kanpur/wx.php
on this server.
Is there any way to overcome this Forbidden 403 error? What am I doing wrong?
You've already connected to the webserver at rssweather.com so you must not specify the full URL in the GET request, just the path:
nc -v rssweather.com 80
GET /wx/in/kanpur/wx.php HTTP/1.0
<blank line with return>
I have my fonts in a subdomain like static.example.com Today the fonts aren't displayed in Chrome —and in Firefox as well— and this error appeared in the dev tools:
«Font from origin 'http://static.example.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.com' is therefore not allowed access.»
I already have this code in the subdomain .htaccess file
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With"
Header set Access-Control-Allow-Methods "GET, PUT, POST"
</FilesMatch>
</IfModule>
Also if I try curl -I http://static.example.com/fonts/pfcentrosanspro-reg-webfont.eot in the terminal I get this response:
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Aug 2014 17:20:50 GMT
Content-Type: font/eot
Content-Length: 26403
Connection: keep-alive
X-Accel-Version: 0.01
Last-Modified: Mon, 05 Aug 2013 17:49:42 GMT
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Expires: Thu, 27 Aug 2015 17:20:50 GMT
X-Powered-By: PleskLin
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With
Access-Control-Allow-Methods: GET, PUT, POST
But the error persists, I have moved the fonts to a bucket in Amazon S3 CDN with this code:
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
</CORSRule>
</CORSConfiguration>
No luck, the error is still there —the fonts doesn't load and the CORS error is displayed—, I even have modified the Nginx config file without results!
Am I doing something wrong? this is driving me nuts.
The site is a Wordpress blog with W3 Total Caché plugin
Thank you for your help!
Some browsers don't like this:
Access-Control-Allow-Origin *
You should set this to the domain of the originating request. I've struggled a lot with similar issues, and finally landed on the below solution (PHP, but you'll get the idea).
$origin=isset($_SERVER['HTTP_ORIGIN'])?$_SERVER['HTTP_ORIGIN']:$_SERVER['HTTP_HOST'];
header('Access-Control-Allow-Origin: '.$origin);
header('Access-Control-Allow-Methods: POST, OPTIONS, GET, PUT');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: Authorization, X-Requested-With');
header('P3P: CP="NON DSP LAW CUR ADM DEV TAI PSA PSD HIS OUR DEL IND UNI PUR COM NAV INT DEM CNT STA POL HEA PRE LOC IVD SAM IVA OTC"');
header('Access-Control-Max-Age: 1');
This code will accept all requests from all domains. This could be insecure. You'd probably want to check the requests against a whitelist of accepted domains.
When I run the below curl command with --negotiate option I get the following error. Any idea why?
[Aug05 5:03am] pradeep#localhost:/tmp/pradeep> curl --negotiate -u : -k --verbose --head "http://something.domain.com/something/soething.action"
About to connect() to something.domain.com port 80 (#0)
Trying ip-address ... connected
Connected to something.domain.com (ip-address) port 80 (#0)
HEAD /something.action HTTP/1.1
User-Agent: curl/7.21.6 (i386-pc-solaris2.10) libcurl/7.21.6 OpenSSL/0.9.8j zlib/1.2.3
Host: something.domain.com
Accept: */*
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Date: Fri, 05 Aug 2011 09:04:45 GMT
Date: Fri, 05 Aug 2011 09:04:45 GMT
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
* gss_init_sec_context() failed: : KDC policy rejects requestWWW-Authenticate: Negotiate
WWW-Authenticate: Negotiate
< Set-Cookie: JSESSIONID=0E94E134D7401632EBB4D042B8934DCD; Path=/
Set-Cookie: JSESSIONID=0E94E134D7401632EBB4D042B8934DCD; Path=/
< Content-Type: text/plain
Content-Type: text/plain
* no chunk, no close, no size. Assume close to signal end
I am able to open the site normally from the browser etc. Why I am I not able to authenticate here? Can someone help me understand
Two things you can try:
Remove --head. You seem to want to send a GET request, not a HEAD request.
Don't forget to provide the credentials as with this example: -u pierre:secret