需求
關於跨域報錯的坑 No 'Access-Control-Allow-Origin' header
這段時間折騰了很久究竟是在Java配置還是在Nginx配置,Nginx又要如何配置,最終結論是,個別國內瀏覽器是真的血坑,要麼Chrome內核版本低的可怕,要麼莫名其妙referer丟失。
總之是Nginx更適合用於防盜鏈和通配符跨域。
直接上配置
配置
直接上配置文件
server {
listen 443 ssl http2;
server_name xxx.xxx.com;
...
# 兼容舊瀏覽器內核
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
location / {
# referer防盜鏈開啓 非本域名請求 返回403
# 這裏 none 和 blocked 是允許爲空 用於兼容某些ZZ瀏覽器referer會丟失的情況
valid_referers none blocked xxx.com *.xxx.com;
if ($invalid_referer) {
return 403;
}
# 跨域配置 其中options最好和其他方法分開 直接返回204
# 這裏允許的header需要逐一配置,個別ZZ瀏覽器會不兼容通配符,未配置的header會丟失
# options請求不轉給後端,直接返回204
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type;
add_header Access-Control-Max-Age 1728000;
return 204;
}
# 這裏通過正則判斷請求是否是來自xxx.com
if ($http_origin ~ xxx\.com) {
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type;
add_header Access-Control-Max-Age 1728000;
}
...
}
}
END
本文同時也會發布在我的個人博客
https://zzzmh.cn/single?id=72