I have an application that consists of back end and front end. Because of restrictions with the hoster, I need to provide the back end from a different server than the front end.

My back end handles authentication and serves the content to the front end. It also sends emails to users via nodemailer. Because I am not allowed have outgoing TCP sockets on the server where the front end is hosted, this feature failed which made me relocate the back end.

Now, I have the back end running on a different server. It consists of a loopback instance listening on a certain port which gets requests proxied to it by nginx.

After a while of set up, I had the configuration working. It first failed because of a wrong CORS header, a problem that emerged because Loopback added Access-Control-Allow-Origin *;, which I also had in my nginx config. That resulted in Firefox throwing an error like CORS header does not match Origin (*, *) - which made me think that the headers where on top of each other thus negating the wildcard *.

So I removed the add_header part from my nginx configuration. I worked fine when I tested, but when I came back, Firefox threw the Error Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://{{my_nice_api}}/lang. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 404.. Which baffled me because I hadn't changed the set up at all.

Now, I fiddled even more but am not able to find the error. I have add_header Access-Control-Allow-Origin *; set (for testing purposes obviously), but I keep getting the error that there is no such header present. This post had me thinking that I needed to add another header in Access-Control-Allow-Credentials true;, but to no avail. Can anybody give any pointer as to what I am missing?

My nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;


events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    #ssl_certificate        /etc/nginx/certs/cert.pem;
    #ssl_certificate_key    /etc/nginx/certs/key.pem;   

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

My site.conf (mounted into sites-available):

# Virtual Host configuration for {{my_nice_api}}
#
server {
    listen 80;
    listen [::]:80;
    server_name {{my_nice_api}};
    
    return 301 https://{{my_nice_api}}$uri;
    #location / {
    #   rewrite ^ https://{{my_nice_api}}$request_uri permanent;
    #}
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    ssl_certificate     /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;
            
    #server_name {{my_nice_api}};   
    location / {
            proxy_pass http://localhost:3001/api/;
            #proxy_pass_request_headers on;
        #proxy_http_version  1.1;
            #proxy_cache_bypass  $http_upgrade;
            #proxy_set_header Upgrade           $http_upgrade;
            #proxy_set_header Connection        "upgrade";
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            #proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            #proxy_set_header X-Forwarded-Proto $scheme;
            #proxy_set_header X-Forwarded-Host  $host;
            #proxy_set_header X-Forwarded-Port  $server_port;
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Credentials true;
        #add_header X-Frame-Options SAMEORIGIN;
    }
}