CORS Setup

Configuration examples for Apache, NGINX and how to test your CORS Setup.

Using CORS

CORS is not provided by the app itself. You need to configure CORS to your needs in the Webserver (Nginx or Apache Webserver) that sits in front of Jira.

Note: codeclou does not recommend you to configure CORS in a specific way. You should consult a specalist to configure CORS to your needs. The config below is provided without any warranty

CORS for Apache Webserver

Use this demo config for Apache Webserver v2.4+ to handle HTTP Options Preflight Requests and set correct CORS headers. Note that you still should abide Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http).

virtual-host.conf
<VirtualHost *:80>
  ServerName api-proxy.codeclou.io

  ## SSL => You should use SSL in production
  #SSLEngine on
  #SSLCertificateKeyFile /etc/ssl.key/example.com.key
  #SSLCertificateFile /etc/ssl.crt/example.com.crt

  ## CORS Header
  Header always set Access-Control-Allow-Origin  "*"
  Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
  Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

  ## Handle HTTP Options Preflight Request always with 200
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^(.*)$ $1 [R=200,L]

  ## Proxy CEP REST Uris to Jira Server
  <LocationMatch "/rest/jiracustomfieldeditorplugin/1">
    ProxyPass http://jira-server:8080/rest/jiracustomfieldeditorplugin/1 disablereuse=On
    ProxyPassReverse http:///jira-server:8080/rest/jiracustomfieldeditorplugin/1
  </LocationMatch>
</VirtualHost>

CORS for NGINX

Use this demo config for NGINX v1+ to handle HTTP Options Preflight Requests and set correct CORS headers. Note that you still should abide Integrating Jira with Nginx.

nginx.conf
server {
  listen api-proxy.codeclou.io:80;
  server_name api-proxy.codeclou.io;

  ## SSL => You should use SSL in production
  #ssl_certificate     www.example.com.crt;
  #ssl_certificate_key www.example.com.key;
  #ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  #ssl_ciphers         HIGH:!aNULL:!MD5;

  location /rest/jiracustomfieldeditorplugin/1 {

    ## CORS Header
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'x-requested-with, Content-Type, origin, authorization, accept, client-security-token' always;

    ## Handle HTTP Options Preflight Request always with 200
    if ($request_method = 'OPTIONS') {
      return 200;
    }

    ## Proxy CEP REST Uris to Jira Server
    proxy_pass http://jira-server:8080/rest/jiracustomfieldeditorplugin/1;
  }
}

Testing CORS Headers

Now you can test your CORS config. The HTTP Options Preflight Request should have the following CORS Headers:

$
curl -I -X OPTIONS -H "Accept: application/json" -u admin:admin http://jira-server:8080/rest/jiracustomfieldeditorplugin/1/admin/customfields
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Tue, 24 Jul 2018 11:29:58 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

Any normal e.g. HTTP Get Request should have the following CORS Headers.

$
curl -I -X GET -H "Accept: application/json" -u admin:admin http://jira-server:8080/rest/jiracustomfieldeditorplugin/1/admin/customfields
HTTP/1.1 200
Server: nginx/1.10.3 (Ubuntu)
Date: Tue, 24 Jul 2018 11:30:32 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-AREQUESTID: 690x707x1
X-ANODEID: jira-cluster-7100-node1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-ASEN: SEN-L12059515
X-Seraph-LoginReason: OK
X-ASESSIONID: cdyu96
X-AUSERNAME: admin
Cache-Control: no-cache, no-store, no-transform
...
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token