Fixes #16: Added a third parameter to http-request lua cors that accepts a comma-delimited list of custom headers, which sets the Access-Control-Allow-Headers response header.

Author: NickMRamirez

README.md

@@ -6,7 +6,9 @@ Lua library for enabling CORS in HAProxy.
 
 Cross-origin Request Sharing allows you to permit client-side code running within a different domain to call your services. This module extends HAProxy so that it can:
 
-* set an *Access-Control-Allow-Methods* and *Access-Control-Max-Age* header in response to CORS preflight requests.
+* set an *Access-Control-Allow-Methods* header in response to a preflight request
+* set an *Access-Control-Allow-Headers* header in response to a preflight request
+* set an *Access-Control-Max-Age* header in response to a preflight request
 * set an *Access-Control-Allow-Origin* header to whitelist a domain. Note that this header should only ever return either a single domain or an asterisk (*). Otherwise, it would have been possible to hardcode all permitted domains without the need for Lua scripting.
 
 This library checks the incoming *Origin* header, which contains the calling code's domain, and tries to match it with the list of permitted domains. If there is a match, that domain is sent back in the *Access-Control-Allow-Origin* header.
@@ -31,22 +33,29 @@ global
     lua-load /path/to/cors.lua
 ```
 
-In your `frontend` or `listen` section, capture the client's *Origin* request header by adding `http-request lua.cors` The first parameter is a comma-delimited list of HTTP methods that can be used. The second parameter is comma-delimited list of origins that are permitted to call your service.
+In your `frontend` or `listen` section, capture the client's *Origin* request header by adding `http-request lua.cors` Its parameters are:
 
-```
-http-request lua.cors "GET,PUT,POST" "example.com,localhost,localhost:8080"
-```
+* The first parameter is a comma-delimited list of HTTP methods that can be used. This is used to set the *Access-Control-Allow-Methods* header.
+* The second parameter is comma-delimited list of origins that are permitted to call your service. This is used to set the *Access-Control-Allow-Origin* header.
+* The third parameter is a comma-delimited list of custom headers that can be used. This is used to set the *Access-Control-Allow-Headers* header.
+
+Each of these parameters can be set to an asterisk (*) to allow all values.
 
-Within the same section, invoke the `http-response lua.cors` action to attach CORS headers to responses from backend servers.
+Within the same `frontend` or `listen` section, add the `http-response lua.cors` action to attach CORS headers to responses from backend servers.
 
+**Example 1: Allow specific methods, origins and headers**
 ```
+http-request lua.cors "GET,PUT,POST" "example.com,localhost,localhost:8080", "X-Custom-Header1,X-Custom-Header2"
+
 http-response lua.cors 
 ```
 
-You can also whitelist all domains by setting the second parameter to an asterisk:
+Example 2: Allow all methods, origins, and headers
 
 ```
-http-request lua.cors "GET,PUT,POST" "*"
+http-request lua.cors "*" "*", "*"
+
+http-response lua.cors 
 ```
 
 ## Preflight Requests
@@ -57,7 +66,8 @@ For versions prior to 2.2, the module must forward the request to the backend se
 
 This module returns the following CORS headers for a preflight request:
 
-* `Access-Control-Allow-Method` - set to the HTTP methods you set with `http-request lua cors` in the haproxy.cfg file
+* `Access-Control-Allow-Methods` - set to the HTTP methods you set with `http-request lua cors` in the haproxy.cfg file
+* `Access-Conrol-Allow-Headers` - set to the HTTP headers you set with `http-request lua cors` in the haproxy.cfg file
 * `Access-Control-Max-Age` - set to 600
 
 ## Example

example/haproxy/cors.lua

@@ -48,9 +48,11 @@ end
 -- be intercepted and returned immediately.
 -- txn: The current transaction object that gives access to response properties
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
-function preflight_request_ver1(txn, allowed_methods)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function preflight_request_ver1(txn, allowed_methods, allowed_headers)
   core.Debug("CORS: preflight request received")
   txn.http:res_add_header("Access-Control-Allow-Methods", allowed_methods)
+  txn.http:res_add_header("Access-Control-Allow-Headers", allowed_headers)
   txn.http:res_add_header("Access-Control-Max-Age", 600)
   core.Debug("CORS: attaching allowed methods to response")
 end
@@ -62,13 +64,15 @@ end
 -- origin: The value from the 'origin' request header
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
 -- allowed_origins: Comma-delimited list of allowed origins. (e.g. localhost,localhost:8080,test.com)
-function preflight_request_ver2(txn, origin, allowed_methods, allowed_origins)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function preflight_request_ver2(txn, origin, allowed_methods, allowed_origins, allowed_headers)
   core.Debug("CORS: preflight request received")
 
   local reply = txn:reply()
   reply:set_status(204, "No Content")
   reply:add_header("Content-Type", "text/html")
   reply:add_header("Access-Control-Allow-Methods", allowed_methods)
+  reply:add_header("Access-Control-Allow-Headers", allowed_headers)
   reply:add_header("Access-Control-Max-Age", 600)
 
   local allowed_origin = get_allowed_origin(origin, allowed_origins)
@@ -90,7 +94,8 @@ end
 -- txn: The current transaction object that gives access to response properties
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
 -- allowed_origins: Comma-delimited list of allowed origins. (e.g. localhost,localhost:8080,test.com)
-function cors_request(txn, allowed_methods, allowed_origins)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function cors_request(txn, allowed_methods, allowed_origins, allowed_headers)
   local headers = txn.http:req_get_headers()
   local origin = headers["origin"][0]
 
@@ -103,14 +108,15 @@ function cors_request(txn, allowed_methods, allowed_origins)
 
   transaction_data["allowed_methods"] = allowed_methods
   transaction_data["allowed_origins"] = allowed_origins
+  transaction_data["allowed_headers"] = allowed_headers
 
   txn:set_priv(transaction_data)
 
   local method = txn.sf:method()
   transaction_data["method"] = method
 
   if method == "OPTIONS" and txn.reply ~= nil then
-    preflight_request_ver2(txn, origin, allowed_methods, allowed_origins)
+    preflight_request_ver2(txn, origin, allowed_methods, allowed_origins, allowed_headers)
   end
 end
 
@@ -121,6 +127,7 @@ function cors_response(txn)
   local origin = transaction_data["origin"]
   local allowed_origins = transaction_data["allowed_origins"]
   local allowed_methods = transaction_data["allowed_methods"]
+  local allowed_headers = transaction_data["allowed_headers"]
   local method = transaction_data["method"]
 
   -- Always vary on the Origin
@@ -137,7 +144,7 @@ function cors_response(txn)
     core.Debug("CORS: " .. origin .. " not allowed")
   else
     if method == "OPTIONS" and txn.reply == nil then
-      preflight_request_ver1(txn, allowed_methods)
+      preflight_request_ver1(txn, allowed_methods, allowed_headers)
     end
 
     core.Debug("CORS: " .. origin .. " allowed")
@@ -146,5 +153,5 @@ function cors_response(txn)
 end
 
 -- Register the actions with HAProxy
-core.register_action("cors", {"http-req"}, cors_request, 2)
+core.register_action("cors", {"http-req"}, cors_request, 3)
 core.register_action("cors", {"http-res"}, cors_response, 0)

example/haproxy/haproxy.cfg

@@ -18,8 +18,10 @@ listen ui
 listen api
     bind :8080
 
+    
+
     # Invoke the CORS service on the request to capture the Origin header
-    http-request lua.cors "GET,PUT,POST", "localhost"
+    http-request lua.cors "GET,PUT,POST", "localhost", "X-Custom-Header"
 
     # Invoke the CORS service on the response to add CORS headers
     http-response lua.cors

example/web/views/index.html

@@ -15,7 +15,7 @@
 
               var btn = document.getElementById('putdata_btn');
               btn.addEventListener("click", function() {
-                fetch('http://localhost:8080/putdata', { method: 'put', body: "test=test" }).then(function(response) {
+                fetch('http://localhost:8080/putdata', { method: 'put', body: "test=test", headers: { 'X-Custom-Header': 'test' } }).then(function(response) {
                     div.innerHTML = "PUT succeeded";
                 });
               });

lib/cors.lua

@@ -48,9 +48,11 @@ end
 -- be intercepted and returned immediately.
 -- txn: The current transaction object that gives access to response properties
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
-function preflight_request_ver1(txn, allowed_methods)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function preflight_request_ver1(txn, allowed_methods, allowed_headers)
   core.Debug("CORS: preflight request received")
   txn.http:res_add_header("Access-Control-Allow-Methods", allowed_methods)
+  txn.http:res_add_header("Access-Control-Allow-Headers", allowed_headers)
   txn.http:res_add_header("Access-Control-Max-Age", 600)
   core.Debug("CORS: attaching allowed methods to response")
 end
@@ -62,13 +64,15 @@ end
 -- origin: The value from the 'origin' request header
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
 -- allowed_origins: Comma-delimited list of allowed origins. (e.g. localhost,localhost:8080,test.com)
-function preflight_request_ver2(txn, origin, allowed_methods, allowed_origins)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function preflight_request_ver2(txn, origin, allowed_methods, allowed_origins, allowed_headers)
   core.Debug("CORS: preflight request received")
 
   local reply = txn:reply()
   reply:set_status(204, "No Content")
   reply:add_header("Content-Type", "text/html")
   reply:add_header("Access-Control-Allow-Methods", allowed_methods)
+  reply:add_header("Access-Control-Allow-Headers", allowed_headers)
   reply:add_header("Access-Control-Max-Age", 600)
 
   local allowed_origin = get_allowed_origin(origin, allowed_origins)
@@ -90,7 +94,8 @@ end
 -- txn: The current transaction object that gives access to response properties
 -- allowed_methods: Comma-delimited list of allowed HTTP methods. (e.g. GET,POST,PUT,DELETE)
 -- allowed_origins: Comma-delimited list of allowed origins. (e.g. localhost,localhost:8080,test.com)
-function cors_request(txn, allowed_methods, allowed_origins)
+-- allowed_headers: Comma-delimited list of allowed headers. (e.g. X-Header1,X-Header2)
+function cors_request(txn, allowed_methods, allowed_origins, allowed_headers)
   local headers = txn.http:req_get_headers()
   local origin = headers["origin"][0]
 
@@ -103,14 +108,15 @@ function cors_request(txn, allowed_methods, allowed_origins)
 
   transaction_data["allowed_methods"] = allowed_methods
   transaction_data["allowed_origins"] = allowed_origins
+  transaction_data["allowed_headers"] = allowed_headers
 
   txn:set_priv(transaction_data)
 
   local method = txn.sf:method()
   transaction_data["method"] = method
 
   if method == "OPTIONS" and txn.reply ~= nil then
-    preflight_request_ver2(txn, origin, allowed_methods, allowed_origins)
+    preflight_request_ver2(txn, origin, allowed_methods, allowed_origins, allowed_headers)
   end
 end
 
@@ -121,6 +127,7 @@ function cors_response(txn)
   local origin = transaction_data["origin"]
   local allowed_origins = transaction_data["allowed_origins"]
   local allowed_methods = transaction_data["allowed_methods"]
+  local allowed_headers = transaction_data["allowed_headers"]
   local method = transaction_data["method"]
 
   -- Always vary on the Origin
@@ -137,7 +144,7 @@ function cors_response(txn)
     core.Debug("CORS: " .. origin .. " not allowed")
   else
     if method == "OPTIONS" and txn.reply == nil then
-      preflight_request_ver1(txn, allowed_methods)
+      preflight_request_ver1(txn, allowed_methods, allowed_headers)
     end
 
     core.Debug("CORS: " .. origin .. " allowed")
@@ -146,5 +153,5 @@ function cors_response(txn)
 end
 
 -- Register the actions with HAProxy
-core.register_action("cors", {"http-req"}, cors_request, 2)
+core.register_action("cors", {"http-req"}, cors_request, 3)
 core.register_action("cors", {"http-res"}, cors_response, 0)