Plesk is preventing CORS headers from reaching external servers

[nisamudeen97]

Hi,

I was using plesk 12.1 and cors headers were working fine on websites as expected. I used the doc https://www.maxcdn.com/one/tutorial/how-to-use-cdn-with-webfonts/ to enable it. Nginx is listening on port 80.

Unfortunately I have updated plesk to 12.5 suddenly cors headers stopped working. We have checked the server side logs meanwhile we are unable to find any clues. we have done curl testing as explained in the reference doc, we can see the "access control headers" being returning fine meanwhile webfonts were not working as expected.

I have contacted cdn support they have updated " Plesk is preventing CORS headers from reaching external servers I see that they are available on your origin server, We have verified with numerous clients before that Plesk is conflicting with CORS headers for some reason and the additional code has to be applied on the origin server before it can reach our CDN"

What you can do is log into Plesk control panel and go to Websites & Domains -> your web site
And you will find the text field called Additional nginx directives or similar. You will need to paste the nginx code for web fonts into it and save the change. And then purge the cache on the pull zone, as well as your web browser cache.And CORS headers will then be applied to the files in the cache on our end

I have done all the above steps meanwhile cors headers are not working now. I am unsure if this is an expected behavior with 12.5

 

[BlueChannel]

Did you ever get an answer to this? I am having the same issue.

 

[IgorG]

Are you sure that mod_headers module is enabled for Apache? Check it at least with

# httpd -M | grep headers
headers_module (shared)
Syntax OK

If the header module is enabled, you can use CORS in the .htaccess file or adding "Additional directives for HTTP " by following the documentation given below:

http://download1.parallels.com/Ples...inistrator-guide/index.htm?fileName=72009.htm

 

[BlueChannel]

Thanks IgorG.

I get your results on older servers, but this is what I get on the one in question, running Cent OS 7:

[root@web8 ~]# httpd -M | grep headers
[Tue Nov 03 08:19:12.356703 2015] [so:warn] [pid 3999] AH01574: module actions_module is already loaded, skipping
[Tue Nov 03 08:19:12.360084 2015] [so:warn] [pid 3999] AH01574: module headers_module is already loaded, skipping
[Tue Nov 03 08:19:12.360561 2015] [so:warn] [pid 3999] AH01574: module logio_module is already loaded, skipping
[Tue Nov 03 08:19:12.362290 2015] [so:warn] [pid 3999] AH01574: module suexec_module is already loaded, skipping headers_module (shared)​

Please keep in mind I am running nginx, so think I need to add the syntax to that configuration, not Apache.

This syntax seems to be ignored:

# Allow embedded fonts from a third-party URL (CDN)
location ~ \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
​

Any help is welcome. I just can't seem to get these headers added.

Thanks,
- Paul

 

[UFHH01]

Hi BlueChannel,

both entries have to be made ( at apache AND nginx ). In your case you would use

for apache:

<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>

for nginx:

    location ~ \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
                add_header Access-Control-Allow-Origin "*";
                }

If you added the modifications over the Plesk Control Panel ( Websites & Domains > <domain_name> > Apache & nginx Settings ), your webserver(s) should automatically be restarted.


If you experience issues, please don't forget to provide additional informations, as for example:

WHICH php-handler is used?
WHICH PHP version is used?
Did you add more additional directives? WHICH ones?
Are you using a CMS / board software / template based content / ... ? WHICH one?
Are you using plugins/addons/modules for your CMS / board software / template based content / ... ? WHICH one?
...​

If you would like forum-users to help you, please keep in mind, that the more information you provide, the better will be the investigations and possible suggestions, how to solve your issue. It is as well a good idea to post the depending URL, so that people willing to help you, can do their own investigations ( if you are concerned about security, you can always edit your post later one and delete such informations ).

 

[BlueChannel]

Sadly, this didn't work. What DOES work is if I just add this line to addition NGINX directives:

add_header Access-Control-Allow-Origin *;

So, I think the issue has something to do with the location directive -- e.g., location ~* \.(woff|ttf)$ {.

These are all of my current directives:

# Allow embedded fonts from a third-party URL (CDN)
# Was unable to add working location directive (e.g., location ~* \.(woff|ttf)$ {)
add_header Access-Control-Allow-Origin *;

# Add trailing slash to directory requests.
rewrite ^([^.]*[^/])$ $1/ permanent;

# Wordpress permalinks - works in /
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?q=$1 last;
break;
}

I am running PHP 5.6.14 as FPM application served by NGINX on Plesk 12.5.

I can't spend more time on this right now. For my purposes, just opening this up on ALL files is acceptable to me. Hopefully this is helpful for others, but if someone gets the location directive working, please let me know.

- Paul

 

[UFHH01]

Hi BlueChannel,

feel free to try out as well a more detailed CORS - modification for nginx, as published on http://enable-cors.org/server_nginx.html :

#
# Wide-open CORS config for nginx
#
location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        #
        # Om nom nom cookies
        #
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
}

As you may notice, double quotation marks are defined as single ones and this usage is standart now with current nginx versions.

 

[Kevin Kleine]

This PHP code worked for me:


if ( isset( $_SERVER[ 'HTTP_REFERER' ] ) )
{
header( 'Access-Control-Allow-Origin: ' . rtrim( $_SERVER['HTTP_REFERER'], '/' ) );
header( 'Access-Control-Allow-Credentials: true' );
header( 'Access-Control-Max-Age: 86400' );
}

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
{
if ( isset( $_SERVER[ 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' ] ) )
{
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
}

if ( isset( $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ) )
{
header( 'Access-Control-Allow-Headers: ' . $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] );
}
exit(0);
}

 

[Kingsley]

Having this issue, my FONTS are no longer displaying as it should, now shows as a korea sign even though am not using nginx ONLY

 

[Rob Jacob]

i put the code into plesk in my domain apache & nginx setting but i get an error:

Invalid nginx configuration: nginx: [emerg] duplicate location "/" in /var/www/vhosts/system/my.domain.com/conf/vhost_nginx.conf:18 nginx: configuration file /etc/nginx/nginx.conf test failed

any ideas?

Hi BlueChannel,

feel free to try out as well a more detailed CORS - modification for nginx, as published on http://enable-cors.org/server_nginx.html :

#
# Wide-open CORS config for nginx
#
location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        #
        # Om nom nom cookies
        #
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
}

As you may notice, double quotation marks are defined as single ones and this usage is standart now with current nginx versions.

 

[UFHH01]

Hi Rob Jacob,

EXAMPLES are often not meant to be used as a 1:1 - copy. In your case, you see, that the location "location /" is already used, so you have to modify the example in order to get it to work with other location definitions for your domain. You could try to replace:

...
location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
...

with:

...
#location / {
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|html|txt|htm)$ {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
...

 

[Rob Jacob]

ok. thank you UFHH01