OLS and CORS headers when using Rewrite to proxy to a different website

#1
While using OLS we need for a project to access an API from a provider that is not CORS configured (no Access-Control-Allow-Origin) and also we need to send an API key which needs to be hidden from client side.

So the desired solution is to use a vhost that has a rewrite rule similar to the one below:
RewriteRule ^/?api/(.*)$ http://domain.com/api/$1?apikey=12345678 [P,QSA]

which will proxy all requests to local /api/ to the http://domain.com/api/ endpoint and also attach the required apikey.
We have added to the vhost the proper External App configuration to be able to proxy.

The proxy solution is working without any issues when using the local /api/ endpoint in all AJAX requests.
But we want to call the /api/ using a distinct subdomain than the main website one for tracking purposes, but in order for this to work we need to setup the CORS headers properly.

We created for the same vhost a context using exp:/.* rule (so to apply to all requests) and in the Header Operations section we added:
Header set Access-Control-Allow-Origin "*"

All requests to this vhost different from /api/ ones are getting the correct header and CORS is working.
The /api/ ones that use the proxy using a rewrite rule do not have the above mentioned header.

Can anyone help us understand if that is a desired functionality (headers stripping) or is this a bug in OLS.
Do we need to modify some other setting in order for the header to be returned also for proxied requests.

Thank you!
 

Pong

Administrator
#2
I think you should have the backend server configurated CORS(it should not be hard anyway). Since OLS will just proxy to the backend for /api/, nothing else.
 
#3
I think you should have the backend server configurated CORS(it should not be hard anyway). Since OLS will just proxy to the backend for /api/, nothing else.
Sorry but we do not understand your reply. The target api/ the server will proxy to is not a service we manage so we cannot set CORS there. The CORS needs to be setup on OLS for a vhost, that is why we tried to use the context setting we mentioned earlier. The context work for the vhost and Access-Control-Allow-Origin "*" header is added for all requests, except /api/... ones which use the proxy rewrite rule.
 

Pong

Administrator
#4
What I means is I think only your target server can set "Access-Control-Allow-Origin" header, not your OLS reserver proxy.
on your OLS, /api/, if it is proxy to target server, it will do proxy only, nothing served from that virtual host /api/ hence header won't be set.
 
#5
We were hoping it will work like this using a context to append the CORS header as we managed a similar implementation using an Apache server and the below rules in .htaccess:

RewriteRule ^api/(.*)$ http://domain.com/api/$1?apikey=12345678 [L,NE,P,QSA,ENV=CORS:true]
Header set Access-Control-Allow-Origin "*" env=CORS

But we would prefer to keep using OLS server which is performing very well on our website.
 
Top