All calls from my React app (running on port 3100) to my API (on the same machine, but I assume a different port, whatever the default would be for Symfony, Nelmio, PHP) result in the following:
Failed to load https://beta-api.fitchek.com/v1/oauth/login:
Response to preflight request doesn't pass access control check:
No 'Access-Control-Allow-Origin' header is present on the
requested resource. Origin 'https://beta-wellness.fitchek.com' is
therefore not allowed access. If an opaque response serves your
needs, set the request's mode to 'no-cors' to fetch the resource
with CORS disabled.
I have scoured Stack Overflow and other sites for what the config issue might be, but cannot find anything helpful. I have even tried adding some wide-open CORS config to my nginx conf with no difference in results.
My configs are as follows:
config.yml (for Symfony and Nelmio):
nelmio_cors:
defaults:
allow_credentials: true
allow_origin: []
allow_headers: []
allow_methods: []
expose_headers: []
max_age: 0
hosts: []
origin_regex: false
paths:
'^/':
allow_credentials: true
allow_origin: ['*']
allow_headers: ['content-type', 'authorization']
allow_methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS']
max_age: 3600
parameters.yml (for the env):
allow_origin_list:
- 'https://beta-app.fitchek.com'
- 'https://beta-marketplace.fitchek.com'
- 'https://beta-canfitpro.fitchek.com'
- 'https://beta-sweateq.fitchek.com'
- 'https://beta-payments.fitchek.com'
- 'https://beta-wellness.fitchek.com'
My nginx config
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Max file upload
##
client_max_body_size 10m;
client_body_timeout 60s;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Edited
I cannot see any errors in my Nginx logs or in the php logs. I don't know where else I would look for related errors, nothing appears in the dev or prod logs in the PHP API either.
(When I make the calls from my localhost to the beta server using Postman, the CORS error does not appear and the calls work perfectly! However, when making the calls from the beta server to the beta server, the CORS errors as noted above appear).
Thanks for the help, I found the answer in my API nginx config file. The line to add the header to the OPTIONS call was commented out for some reason. Uncommenting it make the OPTIONS call succeed and the CORS issue is handled.