Multiple CORS header error in Enterprise Edition (self-hosted)

bennhatton · January 19, 2024, 11:29am

Hi everyone,
I recently set up a Seatable Enterprise Edition on an OVH VPS running Debian 12.
I followed the installation instruction from the admin manual and everything works fine (almost ). Indeed, I have an html page calling the API (JavaScript). When I use it on a database stored on cloud.seatable.io, everything works fine, but with my self-hosted database, I get a Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed error…
I didn’t change anything in the config files (still using 80 and 443 ports for now, SSL is enabled, I’m not running Seatable behind a server (Seatable’s docker container is the only thing installed on the VPS for now).
Any idea on how to solve that problem ?
Thanks a lot,
Benjamin

PS : Small extra piece of info while investigating on this problem : a call to the API using dtable-db works, whereas I get the error when the requests uses dtable-server

cdb · January 24, 2024, 1:28pm

Can you please send me your nginx configuration for the locations dtable-db and dtable-server?

bennhatton · January 24, 2024, 3:05pm

Hello Christoph,
Sorry I didn’t think to attach the configuration to my first message; here it is :

    location /dtable-server {
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
        add_header Access-Control-Allow-Headers "deviceType,token, authorization,>
        if ($request_method = 'OPTIONS') {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
            add_header Access-Control-Allow-Headers "deviceType,token, authorizat>
            return 204;
        }
        rewrite ^/dtable-server/(.*)$ /$1 break;
        proxy_pass         http://dtable_servers;
        proxy_redirect     off;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host  $server_name;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # used for import excel
        client_max_body_size 100m;

        access_log      /opt/nginx-logs/dtable-server.access.log seatableformat;
        error_log       /opt/nginx-logs/dtable-server.error.log;

    }

    location /dtable-db/ {
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
        add_header Access-Control-Allow-Headers "deviceType,token, authorization,>
        if ($request_method = 'OPTIONS') {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
            add_header Access-Control-Allow-Headers "deviceType,token, authorizat>
            return 204;
        }
        proxy_pass         http://127.0.0.1:7777/;
        proxy_redirect     off;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host  $server_name;
        proxy_set_header   X-Forwarded-Proto $scheme;

        access_log      /opt/nginx-logs/dtable-db.access.log seatableformat;
        error_log       /opt/nginx-logs/dtable-db.error.log;
    }

I tried to remove the add_header Access-Control-Allow-Origin *; lines in dtable-server as it seems to be defined several times, but it didn’t remove the problem…

cdb · January 29, 2024, 9:21am

I will have a look at this in the next days. Please give me some time.

bennhatton · February 9, 2024, 2:08pm

Hi @cdb , just to let you know, I upgraded to version 4.3, hopping that it might help, but unfortunately the problem remains : I still can’t even ping dtable-server

cdb · February 13, 2024, 10:55am

Hey Ben,

Execute these commands from any command line:

curl -sI https://cloud.seatable.io | grep access
curl -sI https://<your-seatable-url>/ | grep access

You can see, that there is a slight difference between the Access-Control Headers…

Please edit your /opt/seatable-server/seatable/conf/nginx.conf.

Remove all parts like this. No location /xxx should contain any Access-Control-… stuff any more.

        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
        add_header Access-Control-Allow-Headers "deviceType,token, authorization,>
        if ($request_method = 'OPTIONS') {
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
            add_header Access-Control-Allow-Headers "deviceType,token, authorizat>
            return 204;
        }

Then before the first location / {... add this code:

    #####
    # general settings to allow API and readme.com
    #####
    proxy_hide_header   'Access-Control-Allow-Origin';
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, authorization, token, deviceType' always;
    if ($request_method = 'OPTIONS') {
        return 204;
    }

Restart nginx or the containers and compare. If the Access-Control-Headers are the same, then your CORS headers should be gone.

system · February 15, 2024, 10:55am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.