CODEWITHSUNDEEP
nginxcorsnginx-reverse-proxynginx-config
Nick
Nick

Reputation: 6362

Nginx -- Error 400: Origin is not allowed to make this request

I'm setting up a reverse proxy for MeiliSearch with Nginx. When sending a POST request from an origin, I get a 400: Origin is not allowed to make this request error. However, if the request does not have an origin, everything works correctly.

Interestingly, the response also includes different headers whether or not the origin is present.

Requests/responses

Working request

Header Value
Content-Type application/json
X-Meili-API-Key asfasdfasdfasdfsafsdfasdfadsfsadff

Working response

Header Value
Server nginx/1.18.0
Date Thu, 14 Jan 2021 19:49:02 GMT
Content-Type application/json
Content-Length 252
Connection keep-alive
Access-Control-Allow-Origin *

As you can see, Access-Control-Allow-Origin is a wildcard as it should be.

Failing request

Header Value
Content-Type application/json
X-Meili-API-Key asfasdfasdfasdfsafsdfasdfadsfsadff
Origin https://example.com

Failing response

Header Value
Server nginx/1.18.0
Date Thu, 14 Jan 2021 19:49:02 GMT
Content-Length 252
Connection keep-alive

Access-Control-Allow-Origin is now missing.

Configuration

This is the full configuration file.

server {
server_name example.com;
location / {
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin" *;
    }

    if ($request_method = OPTIONS ) {
      add_header 'Access-Control-Max-Age' 1728000;
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, X-Meili-API-Key";
      return 204;
    }

    proxy_pass  http://127.0.0.1:7700;
}

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;

Any ideas?

Upvotes: 2

Views: 2142

Answers (1)

Eskombro
Eskombro

Reputation: 72

This problem was reported for the v0.18.0, there was an problem with actix-cors

https://github.com/meilisearch/MeiliSearch/pull/1185

A new version was released with the fix: v0.18.1

https://github.com/meilisearch/MeiliSearch/releases/tag/v0.18.1

Download the new MeiliSearch version and the problem will go away :)

Upvotes: 3

Related Questions