You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+19-2Lines changed: 19 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,11 +6,13 @@ Lua library for enabling CORS in HAProxy.
6
6
7
7
Cross-origin Request Sharing allows you to permit client-side code running within a different domain to call your services. This module extends HAProxy so that it can:
8
8
9
-
* set an *Access-Control-Allow-Methods* header in response to CORS preflight requests.
9
+
* set an *Access-Control-Allow-Methods*and *Access-Control-Max-Age*header in response to CORS preflight requests.
10
10
* set an *Access-Control-Allow-Origin* header to whitelist a domain. Note that this header should only ever return either a single domain or an asterisk (*). Otherwise, it would have been possible to hardcode all permitted domains without the need for Lua scripting.
11
11
12
12
This library checks the incoming *Origin* header, which contains the calling code's domain, and tries to match it with the list of permitted domains. If there is a match, that domain is sent back in the *Access-Control-Allow-Origin* header.
13
13
14
+
It also sets the *Vary* header to *Accept-Encoding,Origin* so that caches do not reuse cached CORS responses for different origins.
15
+
14
16
## Dependencies
15
17
16
18
* HAProxy must be compiled with Lua support.
@@ -45,4 +47,19 @@ You can also whitelist all domains by setting the second parameter to an asteris
45
47
46
48
```
47
49
http-request lua.cors "GET,PUT,POST" "*"
48
-
```
50
+
```
51
+
52
+
## Preflight Requests
53
+
54
+
This module handles preflight OPTIONS requests, but it does it differently depending on if you are using HAProxy 2.2 and above. For 2.2, the module intercepts the preflight request and returns it immediately without contacting the backend server.
55
+
56
+
For versions prior to 2.2, the module must forward the request to the backend server and then attach the CORS headers to the response as it passes back through the load balancer.
57
+
58
+
This module returns the following CORS headers for a preflight request:
59
+
60
+
*`Access-Control-Allow-Method` - set to the HTTP methods you set with `http-request lua cors` in the haproxy.cfg file
61
+
*`Access-Control-Max-Age` - set to 600
62
+
63
+
## Example
64
+
65
+
Check the *example* directory for a working demo. It uses Docker Compose to run HAProxy and a web server in containers. Go to http://localhost to test it. It demonstrates a preflight request by clicking the "PUT data" button.
0 commit comments