Web Service CORS Configuration

Your cue-web application is now running on the nginx default port, 81. In order to be able to run correctly it needs to be able to send requests to the Escenic Content Engine's web service. This web service may possibly be running on a different host in a different domain. Even if it is running on the same host as nginx, it will most likely be listening on port 8080 (Tomcat's default port). This means that by default any requests from the cue-web application to the Content Engine web service will be rejected as cross-origin scripting exploits.

You can, however, enable cross-origin communication between the cue-web application and the Content Engine web service by setting up an nginx proxy for the web service that redirects requests to the actual web service and also adds the CORS headers needed to ensure that the requests will not be rejected.

Here is an example of a /etc/nginx/default-site/webservice.conf file that sets up a proxy that will work if CUE is installed on the same host as the Content Engine web service: 

location ~ "/(webservice|webservice-extensions)/(.*)" {
    if ($http_origin ~* (http://localhost(:[0-9]+)?)$) {
        set $cors "true";
    }
    if ($request_method = 'OPTIONS') {
        set $cors "${cors}options";  
    }
    if ($request_method = 'GET') {
        set $cors "${cors}get";  
    }
    if ($request_method = 'HEAD') {
        set $cors "${cors}get";  
    }
    if ($request_method = 'POST') {
        set $cors "${cors}post";
    }
    if ($request_method = 'PUT') {
        set $cors "${cors}post";
    }
    if ($request_method = 'DELETE') {
        set $cors "${cors}post";
    }
    if ($cors = "trueget") {
        add_header "Access-Control-Allow-Origin" "$http_origin";
        add_header "Access-Control-Allow-Credentials" "true";
        add_header "Access-Control-Expose-Headers" "Link,X-ECE-Active-Connections,Location,ETag,Allow";
    }
    if ($cors = "truepost") {
        add_header "Access-Control-Allow-Origin" "$http_origin";
        add_header "Access-Control-Allow-Credentials" "true";
        add_header "Access-Control-Expose-Headers" "Link,X-ECE-Active-Connections,Location,ETag,Allow";
    }
    if ($cors = "trueoptions") {
        add_header 'Access-Control-Allow-Origin' "$http_origin";
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD, OPTIONS, PUT, DELETE';
        add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,If-Match,If-None-Match,X-Escenic-Locks,X-Escenic-media-filename';
        add_header 'Content-Length' 0;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        return 204;
    }
  proxy_set_header Host $http_host;
  proxy_pass http://127.0.0.1:8080;
}

If you have installed CUE on a different machine from the Content Engine web service (potentially in a different domain), then you will need to modify the above example as follows:

  • Replace the origin filter at the top of the file: 

        if ($http_origin ~* (http://localhost(:[0-9]+)?)$) {
        set $cors "true";
    }

    with a filter for the domain in which the cue-web application is running. For example: 

        if ($http_origin ~* (https?://[^/]*\.dev\.my-cue-domain\.com(:[0-9]+)?)$) {
        set $cors "true";
    }

  • Replace the target IP address at the bottom of the file: 

      proxy_pass http://127.0.0.1:8080;

    with the IP address or domain name of the Content Engine web service, for example: 

      proxy_pass http://my-webservice-domain.com:8080;

Copyright © 2015-2016 Escenic AS