
<div dir="ltr"><div><div><div><div>Thanks a ton Richard !!<br><br></div>I will ask my colleague if this works in angularjs on Monday; my gut feel is it will :)<br></div>Thanks a ton guys !!!<br><br><br></div>Thanks and Regards,<br></div>Ajay<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 14, 2017 at 5:01 PM, Richard Stanway <span dir="ltr"><<a href="mailto:r1ch+nginx@teamliquid.net" target="_blank">r1ch+nginx@teamliquid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You're correct - placing the username and password in the URI is just as safe as any other method as long as it's going over HTTPS, and the credentials should never appear in any access logs (unless you specifically choose to log the Authorization header).</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 14, 2017 at 6:47 AM, Ajay Garg <span dir="ltr"><<a href="mailto:ajaygargnsit@gmail.com" target="_blank">ajaygargnsit@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi Richard.<br><br>You have got me thinking ...<br><a href="https://username:password@1.2.3.4/" target="_blank">https://username:password@1.2.<wbr>3.4/</a> works, even without ANY of the "add_header" and "proxy_set_header" directives.<br><br>So, now the only thing that worries me is security.<br><br><a href="http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https" target="_blank">http://stackoverflow.com/quest<wbr>ions/4143196/is-get-data-also-<wbr>encrypted-in-https</a> indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right?<br><br></div><div>Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good.<br></div><div><br></div>Do I make sense?<br></div><div><br></div>Kindly let know your thoughts.<br><br><br></div>Thanks and Regards,<br></div>Ajay<br></div><div class="gmail_extra"><div><div class="m_8290890680196706103h5"><br><div class="gmail_quote">On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <span dir="ltr"><<a href="mailto:r1ch+nginx@teamliquid.net" target="_blank">r1ch+nginx@teamliquid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You're missing the "Authorization" header in your Access-Control-Allow-Head<wbr>ers directive.<div><br></div><div>You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "<a href="https://username:password@1.2.3.4/" target="_blank">https://username:password@1.2<wbr>.3.4/</a>") rather than crafting it manually.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="m_8290890680196706103m_6908041382908342041h5">On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <span dir="ltr"><<a href="mailto:ajaygargnsit@gmail.com" target="_blank">ajaygargnsit@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_8290890680196706103m_6908041382908342041h5">Strange, but rebooting the machine caused the credentials-popup to be<br>

seen again :-|<br>

Sorry for the noise here.<br>

<br>

There has been some progress, but still get a "CORS preflight did not<br>

succeed error".<br>

Following is what I am doing.<br>

<br>

<br>

a)<br>

Following is the server-block in /etc/nginx/conf.d/default.conf ::<br>

<br>

##############################<wbr>##############################<wbr>##############<br>

<span>server {<br>

<br>

                listen 443 ssl;<br>

<br>

                ssl_certificate /etc/nginx/ssl/nginx.crt;<br>

                ssl_certificate_key /etc/nginx/ssl/nginx.key;<br>

<br>

</span>                add_header 'Access-Control-Max-Age' 1728000 'always';<br>

                add_header 'Access-Control-Allow-Origin' $http_origin 'always';<br>

                add_header 'Access-Control-Allow-Credenti<wbr>als' 'true' 'always';<br>

<span>                add_header 'Access-Control-Allow-Methods' 'GET, POST,<br>

OPTIONS' 'always';<br>

</span><span>                add_header 'Access-Control-Allow-Headers'<br>

'DNT,Access-Control-Allow-Orig<wbr>in,X-CustomHeader,Keep-Alive,U<wbr>ser-Agent,X-Requested-With,If-<wbr>Modified-Since,Cache-Control,C<wbr>ontent-Type'<br>

'always';<br>

<br>

                location / {<br>

<br>

</span><span>                        auth_basic 'Restricted';<br>

                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;<br>

<br>

                        proxy_set_header 'Access-Control-Max-Age' 1728000;<br>

                        proxy_set_header 'Access-Control-Allow-Origin' '*';<br>

                        proxy_set_header<br>

'Access-Control-Allow-Credenti<wbr>als' 'true';<br>

                        proxy_set_header<br>

'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';<br>

                        proxy_set_header<br>

'Access-Control-Allow-Headers'<br>

'DNT,X-CustomHeader,Keep-Alive<wbr>,User-Agent,X-Requested-With,I<wbr>f-Modified-Since,Cache-Control<wbr>,Content-Type';<br>

<br>

                        proxy_pass<br>

$forwarded_protocol://<a href="http://127.0.0." target="_blank">127.0.0.</a><wbr>1:$forwarded_port;<br>

<br>

                }<br>

        }<br>

</span>##############################<wbr>##############################<wbr>##############<br>

<br>

<br>

<br>

<br>

b)<br>

Firing the following html from firefox (sensitive information changed) ::<br>

<br>

##############################<wbr>##############################<wbr>##############<br>

<html><br>

<body><br>

<script type="text/javascript"><br>

var data = null;<br>

<br>

var xhr = new XMLHttpRequest();<br>

xhr.withCredentials = true;<br>

<br>

xhr.addEventListener("readysta<wbr>techange", function () {<br>

      if (this.readyState === 4) {<br>

              console.log(this.responseText)<wbr>;<br>

                }<br>

});<br>

<br>

xhr.open("GET", "<a href="https://1.2.3.4/" rel="noreferrer" target="_blank">https://1.2.3.4/</a>");<br>

xhr.setRequestHeader("authoriz<wbr>ation", "Basic abcdefg");<br>

xhr.setRequestHeader("cache-co<wbr>ntrol", "no-cache");<br>

<br>

xhr.send(data);<br>

</script><br>

</body><br>

</html><br>

##############################<wbr>##############################<wbr>##############<br>

<br>

<br>

<br>

Following is received in the firebug-console (sensitive information changed) ::<br>

<br>

##############################<wbr>##############################<wbr>##############<br>

GET <a href="https://23.253.207.208/" rel="noreferrer" target="_blank">https://23.253.207.208/</a><br>

uff.html (line 19)<br>

Headers<br>

<br>

Accept<br>

text/html,application/xhtml+xm<wbr>l,application/xml;q=0.9,*/*;q=<wbr>0.8<br>

Accept-Encoding   gzip, deflate, br<br>

Accept-Language   en-US,en;q=0.5<br>

Authorization         Basic abcdefg<br>

Cache-Control       no-cache<br>

Host                     1.2.3.4<br>

Origin                    null<br>

User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)<br>

Gecko/20100101 Firefox/47.0<br>

<span><br>

<br>

Cross-Origin Request Blocked: The Same Origin Policy disallows reading<br>

</span>the remote resource at <a href="https://1.2.3.4/" rel="noreferrer" target="_blank">https://1.2.3.4/</a>. (Reason: CORS preflight<br>

channel did not succeed).<br>

##############################<wbr>##############################<wbr>##############<br>

<br>

<br>

I am beginning to believe that I am close to solving the issue (of<br>

course all credit to tremendous help from this list).<br>

I will be grateful for the last bit of help being received by the<br>

really helpful experts here..<br>

<br>

Sorry again for the noise in my previous email.<br>

<br>

<br>

Thanks and Regards,<br>

</div></div><div class="m_8290890680196706103m_6908041382908342041m_9165705965310975157HOEnZb"><div class="m_8290890680196706103m_6908041382908342041m_9165705965310975157h5">Ajay<span><br>

______________________________<wbr>_________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx</a><br>

</span></div></div></blockquote></div><br></div>

<br>______________________________<wbr>_________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx</a><br></blockquote></div><br><br clear="all"><br></div></div><span class="m_8290890680196706103HOEnZb"><font color="#888888">-- <br><div class="m_8290890680196706103m_6908041382908342041gmail_signature" data-smartmail="gmail_signature">Regards,<br>Ajay<br></div>

</font></span></div>

<br>______________________________<wbr>_________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx</a><br></blockquote></div><br></div>

</div></div><br>______________________________<wbr>_________________<br>

nginx mailing list<br>

<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>

<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Regards,<br>Ajay<br></div>

</div>