Apache/Laravel 403 Forbidden-不允许头 [英] Apache / Laravel 403 Forbidden - Header not allowed
问题描述
我已经处理了24小时,但我在Google上找不到任何解决方案.
I've been on this for 24 hours, and I can't find any solution on Google for my issue.
我正在开发一个由Laravel 4.2 API和AngularJS 1.3前端组成的网站.
I'm developing a website composed of a Laravel 4.2 API and an AngularJS 1.3 front-end.
我使用laravel-cors软件包在Laravel上启用了CORS,我的请求一直运行到昨天早上(并且没有人在服务器上部署任何东西,这很奇怪).
I enabled CORS on Laravel with the package laravel-cors, and my requests were working well until yesterday morning (and nobody deployed anything on the server, which is weird).
我在除Firefox以外的所有主要浏览器上都有问题,当我尝试从Chrome/Safari/IE访问我的API(PUT/POST/DELETE)时,Angular生成预检OPTIONS请求,并且此消息出现403错误:
I have the issue on all major browsers but Firefox, when I try to access my API (PUT/POST/DELETE) from Chrome/Safari/IE, Angular generate a preflight OPTIONS request and I get a 403 error with this message :
请求的请求上没有'Access-Control-Allow-Origin'标头 资源.
No 'Access-Control-Allow-Origin' header is present on the requested resource.
这不是我第一次看到它,所以我检查了laravel-cors,在Angular上也一切正常,并且在Firefox和POSTMAN(在Chrome上)上运行良好.
Not the first time I see this, so I checked on laravel-cors, everything seems ok, on Angular too, and with Firefox and POSTMAN (on Chrome) it's working well.
这是我的laravel-cors配置
Here is my laravel-cors config
return array(
'defaults' => array(
'supportsCredentials' => true,
'allowedOrigins' => array('http://localhost', 'http://example.com'),
'allowedHeaders' => array('Content-Type','X-Requested-With','accept','Origin','Access-Control-Request-Method','Access-Control-Request-Headers','Authorization'),
'allowedMethods' => array('GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'),
'exposedHeaders' => array(),
'maxAge' => 0,
'hosts' => array(),
),
);
在Angular端
// Allow credentials
$httpProvider.defaults.withCredentials = true;
$httpProvider.defaults.useXDomain = true;
我比较了Chrome和Firefox发送到我的Apache Web服务器的请求,并使用curl重新创建了它们.
I compared the request sent by Chrome and Firefox to my Apache webserver, and I recreated them with curl.
第一个来自Chrome,并返回"不允许标题"
The first one comes from Chrome, and returns "Header not allowed"
curl 'http://api.example.com' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://example.com' -H 'Acc
ept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Referer: http://example.com/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, content-type' --compressed
如果我在Access-Control-Request-Headers HTTP标头中删除了 accept ,则它运行良好,并且与Firefox和其他浏览器有所不同.
If I remove accept in the Access-Control-Request-Headers HTTP header, it's working well, and it's the difference with Firefox and the other browsers.
这是我的Apache配置和Laravel .htaccess
Here's my Apache configuration and the Laravel .htaccess
.htaccess
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes...
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
虚拟主机
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName api.example.com
DocumentRoot /var/www/shoptruc/api/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/shoptruc/api/public">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
有人有想法吗?我现在被困住了. 我试图在Laravel App :: before()过滤器中编写代码,但未触发该过滤器.
Does anyone have an idea ? I'm stuck right now. I tried to write code in Laravel App::before() filter, but the filter is not fired.
PS:如果需要测试,可以在 http://api.roadtotark发送邮件.com/auth/login :)
PS : If you need to test, you can send a POST on http://api.roadtotark.com/auth/login :)
推荐答案
很好,我找到了解决方案.我禁用了laravel-cors,并通过此配置在public/.htaccess
中启用了跨域.
Great, I found a solution. I disabled laravel-cors and I enabled the cross-domain in public/.htaccess
with this piece of configuration.
# with AJAX withCredentials=false (cookies NOT sent)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]]
# with AJAX withCredentials=true (cookies sent, SSL allowed...)
SetEnvIfNoCase ORIGIN (.*) ORIGIN=$1
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Origin "%{ORIGIN}e"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
现在一切正常!希望这会在将来对遇到相同问题的人有所帮助.
Everything work well now ! Hope this will help somebody with the same issue in the future.
这篇关于Apache/Laravel 403 Forbidden-不允许头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!