CORS Setup
Using CORS
CORS is not provided by the app itself. You need to configure CORS to your needs in the Webserver (Nginx or Apache Webserver) that sits in front of Jira.
Note: codeclou does not recommend you to configure CORS in a specific way. You should consult a specalist to configure CORS to your needs. The config below is provided without any warranty
CORS for Apache Webserver
Use this demo config for Apache Webserver v2.4+ to handle HTTP Options Preflight Requests and set correct CORS headers. Note that you still should abide Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http).
<VirtualHost *:80>
ServerName api-proxy.codeclou.io
## SSL => You should use SSL in production
#SSLEngine on
#SSLCertificateKeyFile /etc/ssl.key/example.com.key
#SSLCertificateFile /etc/ssl.crt/example.com.crt
## CORS Header
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
## Handle HTTP Options Preflight Request always with 200
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
## Proxy CEP REST Uris to Jira Server
<LocationMatch "/rest/jiracustomfieldeditorplugin/1">
ProxyPass http://jira-server:8080/rest/jiracustomfieldeditorplugin/1 disablereuse=On
ProxyPassReverse http:///jira-server:8080/rest/jiracustomfieldeditorplugin/1
</LocationMatch>
</VirtualHost>
CORS for NGINX
Use this demo config for NGINX v1+ to handle HTTP Options Preflight Requests and set correct CORS headers. Note that you still should abide Integrating Jira with Nginx.
server {
listen api-proxy.codeclou.io:80;
server_name api-proxy.codeclou.io;
## SSL => You should use SSL in production
#ssl_certificate www.example.com.crt;
#ssl_certificate_key www.example.com.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers HIGH:!aNULL:!MD5;
location /rest/jiracustomfieldeditorplugin/1 {
## CORS Header
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'x-requested-with, Content-Type, origin, authorization, accept, client-security-token' always;
## Handle HTTP Options Preflight Request always with 200
if ($request_method = 'OPTIONS') {
return 200;
}
## Proxy CEP REST Uris to Jira Server
proxy_pass http://jira-server:8080/rest/jiracustomfieldeditorplugin/1;
}
}
Testing CORS Headers
Now you can test your CORS config. The HTTP Options Preflight Request should have the following CORS Headers:
curl -I -X OPTIONS -H "Accept: application/json" -u admin:admin http://jira-server:8080/rest/jiracustomfieldeditorplugin/1/admin/customfields
HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Tue, 24 Jul 2018 11:29:58 GMT Content-Type: application/octet-stream Content-Length: 0 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Any normal e.g. HTTP Get Request should have the following CORS Headers.
curl -I -X GET -H "Accept: application/json" -u admin:admin http://jira-server:8080/rest/jiracustomfieldeditorplugin/1/admin/customfields
HTTP/1.1 200 Server: nginx/1.10.3 (Ubuntu) Date: Tue, 24 Jul 2018 11:30:32 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-AREQUESTID: 690x707x1 X-ANODEID: jira-cluster-7100-node1 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-ASEN: SEN-L12059515 X-Seraph-LoginReason: OK X-ASESSIONID: cdyu96 X-AUSERNAME: admin Cache-Control: no-cache, no-store, no-transform ... Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token