How do I configure `Access-Control-Allow-Origin` with rails, nginx and passenger?
I cannot get Access-Control-Allow-Origin to show up in Chrome - my ultimate goal is to configure CORS for fonts with Rails, so it works in production with CloudFront. For now though, I just want to get it to work in development. I can see the header via curl, but not Chrome.
I am using Rails 4.0, and I have tried all of the following...
I have configured Gemfile and application.rb as per the rack-cors example for rails 4:
Gemfile
gem 'rack-cors', '~> 0.2.9', require: 'rack/cors'
config/application.rb
config.middleware.insert_before 'ActionDispatch::Static', 'Rack::Cors' do
allow do
origins '*'
resource '*',
:headers => :any,
:methods => [:get, :options, :head]
end
end
rails console
2.0.0-p481 :001 > Rails.env
=> "development"
2.0.0-p481 :002 > Hello::Application.config.serve_static_assets
=> true
bash
curl -i http://localhost:5000/assets/OpenSans-Regular-webfont.woff
Content-Type: application/font-woff
Content-Length: 22660
Connection: keep-alive
Status: 200 OK
Cache-Control: public, must-revalidate
Last-Modified: Wed, 30 Apr 2014 23:51:57 GMT
ETag: "467b34801137bd4031e139839ad86370"
X-Request-Id: c4b07b4d-1c43-44ea-9565-dfda66378f98
X-Runtime: 0.046007
X-Powered-By: Phusion Passenger 4.0.50
Date: Sat, 20 Sep 2014 04:39:38 UTC
Server: nginx/1.6.1 + Phusion Passenger 4.0.50
curl -i -H "Origin: http://localhost:5000" http://localhost:5000/assets/OpenSans-Regular-webfont.woff
Content-Type: application/font-woff
Content-Length: 22660
Connection: keep-alive
Status: 200 OK
Cache-Control: public, must-revalidate
Last-Modified: Wed, 30 Apr 2014 23:51:57 GMT
ETag: "467b34801137bd4031e139839ad86370"
Access-Control-Allow-Origin: http://localhost:5000 # adding
Access-Control-Allow-Methods: GET, OPTIONS, HEAD # -H
Access-Control-Max-Age: 1728000 # produced
Access-Control-Allow-Credentials: true # these
Vary: Origin # headers
X-Request-Id: b9666f30-416d-4b5b-946a-bdd432bc191c
X-Runtime: 0.050420
X-Powered-By: Phusion Passenger 4.0.50
Date: Sat, 20 Sep 2014 03:45:30 UTC
Server: nginx/1.6.1 + Phusion Passenger 4.0.50
Chrome (v37) Developer Tools > Network > OpenSans-Regular-webfont.woff > Headers > Response Headers
HTTP/1.1 304 Not Modified
Connection: keep-alive
Status: 304 Not Modified
Cache-Control: no-cache
X-Request-Id: ac153b8c-e0cb-489d-94dd-90aacc10d715
X-Runtime: 0.116511
X-Powered-By: Phusion Passenger 4.0.50
Date: Sat, 20 Sep 2014 03:41:53 UTC
Server: nginx/1.6.1 + Phusion Passenger 4.0.50
I also tried the following alternatives, as per various sources:
config.middleware.insert_before 'ActionDispatch::Static', 'Rack::Cors' do
config.middleware.insert_after Rails::Rack::Logger, Rack::Cors do
config.middleware.insert_before Warden::Manager, Rack::Cors do
config.middleware.insert 0, Rack::Cors do
config.middleware.use Rack::Cors do
I also tried the following to applications.rb, as per How to Display FontAwesome in Firefox Using Rails and CloudFront:
config.assets.header_rules = {
:global => {'Cache-Control' => 'public, max-age=31536000'},
:fonts => {'Access-Control-Allow-Origin' => '*'}
}
I also tried the following in config.ru, as per CloudFront CDN with Rails on Heroku
require 'rack/cors'
use Rack::Cors do
allow do
origins '*'
resource '*', :headers => :any, :methods => :get
end
end
bundle exec rake middleware
use Rack::Cors
use Rack::Sendfile
use ActionDispatch::Static
use Rack::Lock
use #<ActiveSupport::Cache::Strategy::LocalCache::Middleware:0x007f9ec21590b0>
use Rack::Runtime
use Rack::MethodOverride
use ActionDispatch::RequestId
use Rails::Rack::Logger
use ActionDispatch::ShowExceptions
use ActionDispatch::DebugExceptions
use ActionDispatch::RemoteIp
use ActionDispatch::Reloader
use ActionDispatch::Callbacks
use ActiveRecord::Migration::CheckPending
use ActiveRecord::ConnectionAdapters::ConnectionManagement
use ActiveRecord::QueryCache
use ActionDispatch::Cookies
use ActionDispatch::Session::CookieStore
use ActionDispatch::Flash
use ActionDispatch::ParamsParser
use Rack::Head
use Rack::ConditionalGet
use Rack::ETag
use Warden::Manager
use OmniAuth::Strategies::Facebook
run Hello::Application.routes
I also tried font_assets to no avail.
The Server line made me think that perhaps the assets are not being handled by Rails, but rather by nginx:
This means that the headers must be added by nginx, not Rails, and therefore we need to configure nginx. It turns out that the ability to configure nginx is possible as of Passenger 4.0.39 - (here is the corresponding Git diff). The corresponding documentation is available in Passenger Standalone, under Advanced configuration.
An important note in the documentation: The original configuration template file may change from time to time, e.g. because new features are introduced into Phusion Passenger. If your configuration template file does not contain the required changes, then these new features may not work properly. In the worst case, Standalone might even malfunction. Therefore, every time you upgrade Phusion Passenger, you should check whether the original configuration template file has changed, and merge back any changes into your own file.
With respect to that note, in addition to the customizable copy of the configuration file, create an "original" copy that you can diff whenever you upgrade Passenger.
bash
cp $(passenger-config about resourcesdir)/templates/standalone/config.erb config/nginx.conf.erb
cp config/nginx.conf.erb config/nginx.conf.erb.original
Next, add --nginx-config-template config/nginx.conf.erb to the web line in Procfile.
Procfile
web: bundle exec passenger start -p $PORT --max-pool-size 3 --nginx-config-template config/nginx.conf.erb
config/nginx.conf.erb
Next, edit the configuration file config/nginx.conf.erb by finding a block that looks as follows:
location @static_asset {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header ETag "";
}
...and add the two Access-Control lines:
location @static_asset {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header ETag "";
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Request-Method *;
}
That's it. This will work in production, but not in development, due to config.assets differences between the two.
the config diff
The diff should not return anything now, but if any future updates to passenger include a change to this file, you will know.
diff $(passenger-config about resourcesdir)/templates/standalone/config.erb config/nginx.conf.erb.original
nginx documentation
- http://nginx.org/en/docs/beginners_guide.html
- http://nginx.org/en/docs/http/ngx_http_core_module.html#location
future improvements
- restrict the
Allow-Origin - restrict the
Request-Method - restrict both headers to just fonts
- Own configure block method not found in initializer
- Using acts_as_paranoid plugin for soft delete - what about validations?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- How to query records that have an ActiveStorage attachment?
- Could not find the association problem in Rails
- jQuery ajaxForm returning .json file
- How do you use LIKE query for enum in rails?
- Why heroku clean assets after precomipling them?
- Devise Scope login to subdomain
- Bootstrap 5 Javascript Functions not Working in Rails 7 app
- attr_accessor default values
- undefined method `humanize' for nil:NilClass
- Passing a variable between controller function in rails
- Ruby tally method: evaluating a hash with a key that is a date
- Redmine (RoR)- Accessing IssueRelation during issue destruction
- Can't find the 'libpq-fe.h header when trying to install pg gem
- saved_changes is empty after persisting changes on a Rails model
- dependent => destroy on a "has_many through" association
- How to add a data-attribute to each option of my select box?
- Rails, passing an object to mailer
- What is ActionDispatch?
- Rails 7.1, log to STDOUT and log/production.log
- How to serve an image from S3?
- Unicorn + Rails 7.1: TypeError: wrong argument type strio (expected strio) (TypeError)
- ruby 2.0 rails gem install error "cannot load such file -- openssl"
- Rails migration for change column
- How do I save a local variable within a factory
- Should I validate the type column? (Rails, STI)
- How can I rollback a specific migration?
- Register an ActiveModel attribute type with the ability to pass options to it?