Skip to content

Instantly share code, notes, and snippets.

@nasrulhazim

nasrulhazim/haproxy-cors.md

Last active July 10, 2025 15:09
Show Gist options
  • Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Save nasrulhazim/3f726dbe91c0fa87730809a014f89a02 to your computer and use it in GitHub Desktop.
Download ZIP
Setting Up CORS in HAProxy
Raw
haproxy-cors.md 
frontend localnodes
    bind *:80
    reqadd X-Forwarded-Proto:\ http

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps

frontend localnodes-https
    # Certificate
    bind *:443 ssl crt /etc/ssl/private/domain_com.pem
    reqadd X-Forwarded-Proto:\ https

    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    default_backend backend_apps
        
backend backend_apps
    # Force HTTPS
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    redirect scheme https if !{ ssl_fc }
    server App1 192.168.1.201:80 check
    server App2 192.168.1.202:80 check
    server App3 192.168.1.203:80 check
    server App4 192.168.1.204:80 check
    server App5 192.168.1.205:80 check
@nicovs
Copy link

nicovs commented Mar 31, 2022
edited
Loading

@akshatkalkhanda , might be a little late, but:

    capture request header origin len 128
    http-response set-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Headers "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Methods "GET, HEAD, OPTIONS, POST, PUT" if { capture.req.hdr(0) -m found }
    http-response set-header Access-Control-Allow-Credentials true if { capture.req.hdr(0) -m found }

    http-response set-header Strict-Transport-Security max-age=15768000 if { ssl_fc }
    http-response set-header X-Frame-Options "SAMEORIGIN"
    http-response set-header X-Xss-Protection "1; mode=block"
    http-response set-header X-Content-Type-Options "nosniff"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment