Nginx -- Error 400: Origin is not allowed to make this request

Question

I'm setting up a reverse proxy for MeiliSearch with Nginx. When sending a POST request from an origin, I get a 400: Origin is not allowed to make this request error. However, if the request does not have an origin, everything works correctly.

Interestingly, the response also includes different headers whether or not the origin is present.

Requests/responses

Working request

Header	Value
Content-Type	application/json
X-Meili-API-Key	asfasdfasdfasdfsafsdfasdfadsfsadff

Working response

Header	Value
Server	nginx/1.18.0
Date	Thu, 14 Jan 2021 19:49:02 GMT
Content-Type	application/json
Content-Length	252
Connection	keep-alive
Access-Control-Allow-Origin	*

As you can see, Access-Control-Allow-Origin is a wildcard as it should be.

Failing request

Header	Value
Content-Type	application/json
X-Meili-API-Key	asfasdfasdfasdfsafsdfasdfadsfsadff
Origin	https://example.com

Failing response

Header	Value
Server	nginx/1.18.0
Date	Thu, 14 Jan 2021 19:49:02 GMT
Content-Length	252
Connection	keep-alive

Access-Control-Allow-Origin is now missing.

Configuration

This is the full configuration file.

server {
server_name example.com;
location / {
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin" *;
    }

    if ($request_method = OPTIONS ) {
      add_header 'Access-Control-Max-Age' 1728000;
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, X-Meili-API-Key";
      return 204;
    }

    proxy_pass  http://127.0.0.1:7700;
}

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;

Any ideas?

score 3 · Accepted Answer · answered Jan 14 '21 at 20:25

3

This problem was reported for the v0.18.0, there was an problem with actix-cors

https://github.com/meilisearch/MeiliSearch/pull/1185

A new version was released with the fix: v0.18.1

https://github.com/meilisearch/MeiliSearch/releases/tag/v0.18.1

Download the new MeiliSearch version and the problem will go away :)

answered Jan 14 '21 at 20:25

Eskombro

72
5

Thanks! Thought for sure this was an Nginx error, otherwise, I would have asked over on the repo. – Nick Jan 14 '21 at 20:34