diff --git a/Dockerfile.buildkit.plus b/Dockerfile.buildkit.plus index 50a09430..b59aad51 100644 --- a/Dockerfile.buildkit.plus +++ b/Dockerfile.buildkit.plus @@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/Dockerfile.oss b/Dockerfile.oss index 3ad4568c..3f080571 100644 --- a/Dockerfile.oss +++ b/Dockerfile.oss @@ -10,6 +10,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/Dockerfile.plus b/Dockerfile.plus index 80f604ac..9328199c 100644 --- a/Dockerfile.plus +++ b/Dockerfile.plus @@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h" ENV PROXY_CACHE_VALID_NOTFOUND "1m" ENV PROXY_CACHE_VALID_FORBIDDEN "30s" ENV CORS_ENABLED 0 +ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS "" ENV DIRECTORY_LISTING_PATH_PREFIX "" ENV STRIP_LEADING_DIRECTORY_PATH "" ENV PREFIX_LEADING_DIRECTORY_PATH "" diff --git a/common/docker-entrypoint.d/00-check-for-required-env.sh b/common/docker-entrypoint.d/00-check-for-required-env.sh index a09a76a1..0178134b 100755 --- a/common/docker-entrypoint.d/00-check-for-required-env.sh +++ b/common/docker-entrypoint.d/00-check-for-required-env.sh @@ -135,3 +135,4 @@ echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}" echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}" echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}" echo "CORS Enabled: ${CORS_ENABLED}" +echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" diff --git a/common/etc/nginx/templates/gateway/cors.conf.template b/common/etc/nginx/templates/gateway/cors.conf.template index e92a1c95..428b4668 100644 --- a/common/etc/nginx/templates/gateway/cors.conf.template +++ b/common/etc/nginx/templates/gateway/cors.conf.template @@ -1,5 +1,15 @@ set $request_cors "${request_method}_${CORS_ENABLED}"; +set $cors_private_network '${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}'; + +if ($cors_private_network = 'true') { + set $allow_cors_private_network 'true'; +} + +if ($cors_private_network = 'false') { + set $allow_cors_private_network 'false'; +} + if ($request_cors = "OPTIONS_1") { add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; @@ -11,6 +21,12 @@ if ($request_cors = "OPTIONS_1") { # Tell client that this pre-flight info is valid for 20 days # add_header 'Access-Control-Max-Age' 1728000; + # + # Allow/deny Private Network Access CORS requests. + # https://developer.chrome.com/blog/private-network-access-preflight/ + # + add_header 'Access-Control-Allow-Private-Network' $allow_cors_private_network; + add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; diff --git a/docs/getting_started.md b/docs/getting_started.md index e1e6d072..3c584588 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -44,6 +44,7 @@ running as a Container or as a Systemd service. | `CORS_ALLOWED_ORIGIN` | No | | | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*) | | `STRIP_LEADING_DIRECTORY_PATH` | No | | | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath). | | `PREFIX_LEADING_DIRECTORY_PATH` | No | | | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed. | +| `CORS_ALLOW_PRIVATE_NETWORK_ACCESS` | No | `true`, `false` | | Flag that enables responding to the CORS OPTIONS pre-flight request header `Access-Control-Request-Private-Network` with the `Access-Control-Allow-Private-Network` header. If the value is "true", responds with "true", if "false" responds with "false". If the environment variable is blank/not set, does not respond with any header. This value is only used if CORS is enabled. See [Private Network Access: introducing preflights](https://developer.chrome.com/blog/private-network-access-preflight/) for more information about this header. | If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html), you will need to omit the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` variables from diff --git a/standalone_ubuntu_oss_install.sh b/standalone_ubuntu_oss_install.sh index 4b68cae8..58dd92ef 100644 --- a/standalone_ubuntu_oss_install.sh +++ b/standalone_ubuntu_oss_install.sh @@ -97,6 +97,7 @@ echo "Proxy Caching Time for Valid Response: ${PROXY_CACHE_VALID_OK}" echo "Proxy Caching Time for Not Found Response: ${PROXY_CACHE_VALID_NOTFOUND}" echo "Proxy Caching Time for Forbidden Response: ${PROXY_CACHE_VALID_FORBIDDEN}" echo "CORS Enabled: ${CORS_ENABLED}" +echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}" set -o nounset # abort on unbound variable