Sync with updates from the forked library#37
Open
itzbernoulli wants to merge 24 commits intoboxboat:developfrom
Open
Sync with updates from the forked library#37itzbernoulli wants to merge 24 commits intoboxboat:developfrom
itzbernoulli wants to merge 24 commits intoboxboat:developfrom
Conversation
add semicolon after client_max_body_size 0
…hecking Feature/include bearer token checking
…oes-not-get-cors-issues set headers to prevent CORS issues in ElasticSearch
Signed-off-by: Caleb Lloyd <caleblloyd@gmail.com>
Signed-off-by: Matthew DeVenny <matt@boxboat.com>
Signed-off-by: Matthew DeVenny <matt@boxboat.com>
Update master for release
Update master
Signed-off-by: Matthew DeVenny <matthew.devenny@gmail.com>
Publish images to ghcr only
## Problem
Requests with Origin headers were being rejected with 403 Forbidden, even
with valid Bearer tokens. This broke both same-origin requests (integration
app → integration Elasticsearch) and cross-origin requests (localhost →
integration) for all browsers making CORS requests.
Root cause: NGINX was sending OPTIONS preflight requests through auth_request,
which rejected them (no credentials in preflight), preventing CORS headers
from being added.
## Solution
- Move OPTIONS handling BEFORE auth_request in proxy-pass-protected.conf
- Return 204 with CORS headers immediately for OPTIONS requests
- Add CORS headers to all actual responses using $http_origin variable
- Remove incorrect OPTIONS handling from @auth internal location
## Changes
- stage/etc/nginx/templates/proxy-pass-protected.conf: Add OPTIONS handler
before auth_request, mirror Origin header in Access-Control-Allow-Origin
- stage/etc/nginx/templates/default.conf: Remove OPTIONS handling from
@auth location (now handled per-location)
- server.go: Enhanced logging for debugging authentication flow
- docker-run.sh: Build local image for easier testing
- CLAUDE.md: Document CORS handling architecture
## Testing
✅ OPTIONS preflight returns 204 with proper CORS headers
✅ Origin header correctly mirrored in Access-Control-Allow-Origin
✅ Access-Control-Allow-Credentials: true set for cookie auth
✅ No authentication required for OPTIONS (per CORS spec)
Fixes issue where integration environment Elasticsearch proxy rejected
all requests with Origin headers, blocking ReactiveSearch components.
The backend Elasticsearch was rejecting requests that included the Origin header, even though authentication succeeded. The proxy now: - Handles CORS preflight (OPTIONS) requests correctly - Adds appropriate CORS headers to responses - Strips the Origin header before forwarding to Elasticsearch This prevents Elasticsearch from seeing CORS requests and rejecting them.
Merges NGINX configuration improvements for Elasticsearch CORS handling: - Handle OPTIONS preflight requests BEFORE auth_request - Add proper CORS headers mirroring Origin with credentials support - Strip Origin header when proxying to backend (fixes Elasticsearch) - Add CLAUDE.md documentation and test scripts Conflict resolution: Kept HEAD's server.go which already has bearer token support and ID/access token flexibility from develop merge. The critical Elasticsearch CORS fixes are in the NGINX templates which merged cleanly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Adjusted NGINX to handle OPTIONS preflight requests before auth_request - Ensured proper CORS headers are added, including mirroring the Origin header - Stripped the Origin header when proxying to Elasticsearch to prevent request rejections This update resolves issues with CORS requests being blocked and improves compatibility with various browsers.
Merge upstream nginx updates with downstream repo.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is to test and then sync the updates to ensure compatibility with how we currently use the library.