Apache/Laravel 403 Forbidden-不允许头 [英] Apache / Laravel 403 Forbidden - Header not allowed

问题描述

我已经处理了24小时，但我在Google上找不到任何解决方案.

I've been on this for 24 hours, and I can't find any solution on Google for my issue.

我正在开发一个由Laravel 4.2 API和AngularJS 1.3前端组成的网站.

I'm developing a website composed of a Laravel 4.2 API and an AngularJS 1.3 front-end.

我使用laravel-cors软件包在Laravel上启用了CORS，我的请求一直运行到昨天早上(并且没有人在服务器上部署任何东西，这很奇怪).

I enabled CORS on Laravel with the package laravel-cors, and my requests were working well until yesterday morning (and nobody deployed anything on the server, which is weird).

我在除Firefox以外的所有主要浏览器上都有问题，当我尝试从Chrome/Safari/IE访问我的API(PUT/POST/DELETE)时，Angular生成预检OPTIONS请求，并且此消息出现403错误:

I have the issue on all major browsers but Firefox, when I try to access my API (PUT/POST/DELETE) from Chrome/Safari/IE, Angular generate a preflight OPTIONS request and I get a 403 error with this message :

请求的请求上没有'Access-Control-Allow-Origin'标头 资源.

No 'Access-Control-Allow-Origin' header is present on the requested resource.

这不是我第一次看到它，所以我检查了laravel-cors，在Angular上也一切正常，并且在Firefox和POSTMAN(在Chrome上)上运行良好.

Not the first time I see this, so I checked on laravel-cors, everything seems ok, on Angular too, and with Firefox and POSTMAN (on Chrome) it's working well.

这是我的laravel-cors配置

Here is my laravel-cors config

return array(

    'defaults' => array(
        'supportsCredentials' => true,
        'allowedOrigins' => array('http://localhost', 'http://example.com'),
        'allowedHeaders' => array('Content-Type','X-Requested-With','accept','Origin','Access-Control-Request-Method','Access-Control-Request-Headers','Authorization'),
        'allowedMethods' => array('GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'),
        'exposedHeaders' => array(),
        'maxAge' => 0,
        'hosts' => array(),
    ),
);

在Angular端

// Allow credentials
$httpProvider.defaults.withCredentials = true;
$httpProvider.defaults.useXDomain = true;

我比较了Chrome和Firefox发送到我的Apache Web服务器的请求，并使用curl重新创建了它们.

I compared the request sent by Chrome and Firefox to my Apache webserver, and I recreated them with curl.

第一个来自Chrome，并返回"不允许标题"

The first one comes from Chrome, and returns "Header not allowed"

 curl 'http://api.example.com' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://example.com' -H 'Acc
    ept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Referer: http://example.com/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, content-type' --compressed

如果我在Access-Control-Request-Headers HTTP标头中删除了 accept ，则它运行良好，并且与Firefox和其他浏览器有所不同.

If I remove accept in the Access-Control-Request-Headers HTTP header, it's working well, and it's the difference with Firefox and the other browsers.

这是我的Apache配置和Laravel .htaccess

Here's my Apache configuration and the Laravel .htaccess

.htaccess

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Redirect Trailing Slashes...
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

虚拟主机

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        ServerName api.example.com

        DocumentRoot /var/www/shoptruc/api/public

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        <Directory "/var/www/shoptruc/api/public">
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

有人有想法吗?我现在被困住了. 我试图在Laravel App :: before()过滤器中编写代码，但未触发该过滤器.

Does anyone have an idea ? I'm stuck right now. I tried to write code in Laravel App::before() filter, but the filter is not fired.

PS:如果需要测试，可以在 http://api.roadtotark发送邮件.com/auth/login :)

PS : If you need to test, you can send a POST on http://api.roadtotark.com/auth/login :)

推荐答案

很好，我找到了解决方案.我禁用了laravel-cors，并通过此配置在public/.htaccess中启用了跨域.

Great, I found a solution. I disabled laravel-cors and I enabled the cross-domain in public/.htaccess with this piece of configuration.

# with AJAX withCredentials=false (cookies NOT sent)
Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE" 
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]]

# with AJAX withCredentials=true (cookies sent, SSL allowed...)
SetEnvIfNoCase ORIGIN (.*) ORIGIN=$1
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE" 
Header always set Access-Control-Allow-Origin "%{ORIGIN}e"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]

现在一切正常！希望这会在将来对遇到相同问题的人有所帮助.

Everything work well now ! Hope this will help somebody with the same issue in the future.

这篇关于Apache/Laravel 403 Forbidden-不允许头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！