nginx-cors-proxy.conf

upstream backend {
  server $BACKEND;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  underscores_in_headers on;

  server_name cors;

  location / {
    proxy_pass http://backend;
    proxy_redirect http://$BACKEND http://$http_host;
    proxy_read_timeout 300;

    client_max_body_size 500M;

    proxy_set_header Proxy '';
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_hide_header Access-Control-Allow-Origin;
    proxy_hide_header Access-Control-Allow-Credentials;

    set $CORS_CREDS true;
    set $CORS_ORIGIN $http_origin;
    set $CORS_METHODS 'GET, POST, PUT, DELETE, OPTIONS';
    set $CORS_HEADERS 'Authentication-Token, Cache-Control, Cookie, If-Modified-Since, Range, User-Agent, X-Requested-With';
    # FYI: Always allowed headers: Accept, Accept-Language, Content-Language, Content-Type
    set $CORS_EXPOSE_HEADERS 'Content-Disposition, Content-Length, Content-Range, Set-Cookie';
    # FYI: Always exposed headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
    set $CORS_PREFLIGHT_CACHE_AGE 600;
    set $X_FRAME_OPTIONS '';
    # set $X_FRAME_OPTIONS "ALLOW FROM $http_origin";

    if ($request_method = 'OPTIONS') {
      add_header Access-Control-Allow-Origin $CORS_ORIGIN;
      add_header Access-Control-Allow-Methods $CORS_METHODS;
      add_header Access-Control-Allow-Headers $CORS_HEADERS;
      add_header Access-Control-Allow-Credentials $CORS_CREDS;

      add_header Access-Control-Max-Age $CORS_PREFLIGHT_CACHE_AGE;
      add_header Content-Type 'text/plain; charset=utf-8';
      add_header Content-Length 0;
      return 204;
    }
    if ($request_method != 'OPTIONS') {
      add_header Access-Control-Allow-Origin $CORS_ORIGIN;
      add_header Access-Control-Allow-Methods $CORS_METHODS;
      add_header Access-Control-Allow-Headers $CORS_HEADERS;
      add_header Access-Control-Allow-Credentials $CORS_CREDS;

      add_header Access-Control-Expose-Headers $CORS_EXPOSE_HEADERS;
      add_header X-Frame-Options $X_FRAME_OPTIONS;
    }
  }
}