<div dir="ltr"><div><div><div><div>Hi Richard.<br><br>You have got me thinking ...<br><a href="https://username:password@1.2.3.4/">https://username:password@1.2.3.4/</a> works, even without ANY of the "add_header" and "proxy_set_header" directives.<br><br>So, now the only thing that worries me is security.<br><br><a href="http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https">http://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https</a> indicates that the URL is safe, in the sense that "username" and "password" would not be sniffable through a man-in-the-middle attack, right?<br><br></div><div>Also, since 1.2.3.4 is our own server, so we are not really bothered about GET-requests getting logged on the server, so we should be good.<br></div><div><br></div>Do I make sense?<br></div><div><br></div>Kindly let know your thoughts.<br><br><br></div>Thanks and Regards,<br></div>Ajay<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 13, 2017 at 11:07 PM, Richard Stanway <span dir="ltr"><<a href="mailto:r1ch+nginx@teamliquid.net" target="_blank">r1ch+nginx@teamliquid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">You're missing the "Authorization" header in your Access-Control-Allow-<wbr>Headers directive.<div><br></div><div>You can alternatively pass the basic auth in your URI, eg xhr.open("GET", "<a href="https://username:password@1.2.3.4/" target="_blank">https://username:password@1.<wbr>2.3.4/</a>") rather than crafting it manually.</div></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Apr 13, 2017 at 4:50 PM, Ajay Garg <span dir="ltr"><<a href="mailto:ajaygargnsit@gmail.com" target="_blank">ajaygargnsit@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Strange, but rebooting the machine caused the credentials-popup to be<br>
seen again :-|<br>
Sorry for the noise here.<br>
<br>
There has been some progress, but still get a "CORS preflight did not<br>
succeed error".<br>
Following is what I am doing.<br>
<br>
<br>
a)<br>
Following is the server-block in /etc/nginx/conf.d/default.conf ::<br>
<br>
##############################<wbr>##############################<wbr>##############<br>
<span>server {<br>
<br>
                listen 443 ssl;<br>
<br>
                ssl_certificate /etc/nginx/ssl/nginx.crt;<br>
                ssl_certificate_key /etc/nginx/ssl/nginx.key;<br>
<br>
</span>                add_header 'Access-Control-Max-Age' 1728000 'always';<br>
                add_header 'Access-Control-Allow-Origin' $http_origin 'always';<br>
                add_header 'Access-Control-Allow-Credenti<wbr>als' 'true' 'always';<br>
<span>                add_header 'Access-Control-Allow-Methods' 'GET, POST,<br>
OPTIONS' 'always';<br>
</span><span>                add_header 'Access-Control-Allow-Headers'<br>
'DNT,Access-Control-Allow-Orig<wbr>in,X-CustomHeader,Keep-Alive,<wbr>User-Agent,X-Requested-With,<wbr>If-Modified-Since,Cache-Contro<wbr>l,Content-Type'<br>
'always';<br>
<br>
                location / {<br>
<br>
</span><span>                        auth_basic 'Restricted';<br>
                        auth_basic_user_file /etc/nginx/ssl/.htpasswd;<br>
<br>
                        proxy_set_header 'Access-Control-Max-Age' 1728000;<br>
                        proxy_set_header 'Access-Control-Allow-Origin' '*';<br>
                        proxy_set_header<br>
'Access-Control-Allow-Credenti<wbr>als' 'true';<br>
                        proxy_set_header<br>
'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';<br>
                        proxy_set_header<br>
'Access-Control-Allow-Headers'<br>
'DNT,X-CustomHeader,Keep-Alive<wbr>,User-Agent,X-Requested-With,<wbr>If-Modified-Since,Cache-Contro<wbr>l,Content-Type';<br>
<br>
                        proxy_pass<br>
$forwarded_protocol://<a href="http://127.0.0." target="_blank">127.0.0.</a><wbr>1:$forwarded_port;<br>
<br>
                }<br>
        }<br>
</span>##############################<wbr>##############################<wbr>##############<br>
<br>
<br>
<br>
<br>
b)<br>
Firing the following html from firefox (sensitive information changed) ::<br>
<br>
##############################<wbr>##############################<wbr>##############<br>
<html><br>
<body><br>
<script type="text/javascript"><br>
var data = null;<br>
<br>
var xhr = new XMLHttpRequest();<br>
xhr.withCredentials = true;<br>
<br>
xhr.addEventListener("readysta<wbr>techange", function () {<br>
      if (this.readyState === 4) {<br>
              console.log(this.responseText)<wbr>;<br>
                }<br>
});<br>
<br>
xhr.open("GET", "<a href="https://1.2.3.4/" rel="noreferrer" target="_blank">https://1.2.3.4/</a>");<br>
xhr.setRequestHeader("authoriz<wbr>ation", "Basic abcdefg");<br>
xhr.setRequestHeader("cache-co<wbr>ntrol", "no-cache");<br>
<br>
xhr.send(data);<br>
</script><br>
</body><br>
</html><br>
##############################<wbr>##############################<wbr>##############<br>
<br>
<br>
<br>
Following is received in the firebug-console (sensitive information changed) ::<br>
<br>
##############################<wbr>##############################<wbr>##############<br>
GET <a href="https://23.253.207.208/" rel="noreferrer" target="_blank">https://23.253.207.208/</a><br>
uff.html (line 19)<br>
Headers<br>
<br>
Accept<br>
text/html,application/xhtml+xm<wbr>l,application/xml;q=0.9,*/*;q=<wbr>0.8<br>
Accept-Encoding   gzip, deflate, br<br>
Accept-Language   en-US,en;q=0.5<br>
Authorization         Basic abcdefg<br>
Cache-Control       no-cache<br>
Host                     1.2.3.4<br>
Origin                    null<br>
User-Agent            Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0)<br>
Gecko/20100101 Firefox/47.0<br>
<span><br>
<br>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading<br>
</span>the remote resource at <a href="https://1.2.3.4/" rel="noreferrer" target="_blank">https://1.2.3.4/</a>. (Reason: CORS preflight<br>
channel did not succeed).<br>
##############################<wbr>##############################<wbr>##############<br>
<br>
<br>
I am beginning to believe that I am close to solving the issue (of<br>
course all credit to tremendous help from this list).<br>
I will be grateful for the last bit of help being received by the<br>
really helpful experts here..<br>
<br>
Sorry again for the noise in my previous email.<br>
<br>
<br>
Thanks and Regards,<br>
</div></div><div class="m_9165705965310975157HOEnZb"><div class="m_9165705965310975157h5">Ajay<span class=""><br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailm<wbr>an/listinfo/nginx</a><br>
</span></div></div></blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Regards,<br>Ajay<br></div>
</div>