Authorization header does not reach API only on GE

2019-07-19 08:13发布

I have an app built on laravel and locally it all works fine, but in server it does not work correctly.

The app is hosted on nginx and PUT, POST, DELETE requests are able to send Authorization header to API except for GET request.

Which makes it weird because I know that on apache you need to allow Authorization header and on nginx there is no need for that.

Also I have debugged when I call route Route::get('reports/{amount}','ReportsController@show'); Authorization header does not reach API but it does exist in request header.

And when I change route method to POST: Route::post('reports/{amount}','ReportsController@show'); the Authorization header reaches API.

This is the server's nginx config:

server {
listen 80;
listen [::]:80;

client_max_body_size 10M;

#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options 'allow-from https://www.someweb.com';
    add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Content-Type-Options nosniff;
    add_header 'Referrer-Policy' 'strict-origin';
    add_header X-XSS-Protection "1; mode=block";

root /var/www/html;

index index.html index.htm index.nginx-debian.html, index.php;

error_page 404 /404.html;

include snippets/fastcgi-php.conf;

location /security {
    alias /var/www/html/security/public;
    try_files $uri $uri/ @security;

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        }
}

location @security {
        rewrite /security/(.*)$ /security/index.php?/$1 last;
    }
}

I am not very familiar with nginx but I do not see any exclusion for headers or GET requests. Has anyone came across this problem?

Is there anyway to identify where problem lies? Since my browser has header and API does not get it I assume it is server's fault, but I have no idea how to fix it.

标签: laravel nginx
1条回答
戒情不戒烟
2楼-- · 2019-07-19 09:02

I am almost certain that you have to add it to a list of allow headers that can be received in your nginx config..

add_header Access-Control-Allow-Headers "Authorization";

I am almost in the same boat as you so I will probably have same issue but as it stands I know in my Dev that allowHeaders is set to wildcard.

You might also have to list add_header Access-Control-Allow-Methods "GET POST DELETE OPTIONS"; or use *?

查看更多
登录 后发表回答