I have an NginX box with the auth_request module installed, which authorises each request via our authentication service, and forwards the request on to our backend services if the request is authorised, and also adds CORS headers.
The issue that I'm having, is that when our authorisation service returns a non-200 status code, e.g. 401 for unauthorised users, NginX returns a 401 to the client without any of the CORS headers, regardless of whether they are set by NginX or by our authorisation service.
My question is, how can I add CORS headers to the response from NginX when a 401 is returned? NginX seems to ignore the add_header command.
I've managed to find the answer to this, in case anyone else is experiencing the same problem.
This can be achieved using
add_headerwith thealwayskeyword.For example,
add_header Access-Control-Expose-Headers "X-My-Header" always;Without the
alwayskeyword, the auth_request module seems to strip non-standard headers from the response in the case of a 4xx response from the authorisation service.For more information, see http://nginx.org/en/docs/http/ngx_http_headers_module.html