Lua library for enabling CORS in HAProxy.
Cross-origin Request Sharing allows you to permit client-side code running within a different domain to call your services. This module extends HAProxy so that it can:
- set an Access-Control-Allow-Methods header in response to CORS preflight requests.
- set an Access-Control-Allow-Origin header to whitelist a domain. Note that this header should only ever return either a single domain or an asterisk (*). Otherwise, it would have been possible to hardcode all permitted domains without the need for Lua scripting.
This library checks the incoming Origin header, which contains the calling code's domain, and tries to match it with the list of permitted domains. If there is a match, that domain is sent back in the Access-Control-Allow-Origin header.
- HAProxy must be compiled with Lua support.
Copy the cors.lua file to the server where you run HAProxy.
Load the cors.lua file via the lua-load directive in the global section of your HAProxy configuration:
global
log stdout local0
lua-load /path/to/cors.lua
In your frontend or listen section, capture the client's Origin request header by adding http-request lua.cors:
http-request lua.cors
Within the same section, invoke the http-response lua.cors action. The first parameter is a a comma-delimited list of HTTP methods that can be used. The second parameter is comma-delimited list of origins that are permitted to call your service.
http-response lua.cors "GET,PUT,POST" "example.com,localhost,localhost:8080"
You can also whitelist all domains by setting the second parameter to an asterisk:
http-response lua.cors "GET,PUT,POST" "*"