From 66c5c303b320662a37d54d1f17ba6bd57be50f94 Mon Sep 17 00:00:00 2001
From: wiz <j@wiz.biz>
Date: Sat, 13 Jul 2024 20:20:15 +0900
Subject: [PATCH] ops: Set HTTP CORS headers with caching in nginx for services

---
 .../nginx/location-api-v1-services.conf       | 82 +++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/production/nginx/location-api-v1-services.conf b/production/nginx/location-api-v1-services.conf
index 2b74124ca..88f510e79 100644
--- a/production/nginx/location-api-v1-services.conf
+++ b/production/nginx/location-api-v1-services.conf
@@ -58,6 +58,36 @@ location @mempool-api-v1-services-cache-disabled {
 	add_header 'Pragma' 'no-cache';
 	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
 
+	proxy_redirect off;
+	proxy_buffering off;
+
+	expires -1;
+}
+
+location @mempool-api-v1-services-cache-disabled-addcors {
+	proxy_pass $mempoolSpaceServices;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# add our own cache headers
+	add_header 'Pragma' 'no-cache';
+	add_header 'Cache-Control' 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
 	# generate CORS configuration from origin header
 	set $cors_methods 'GET, POST, PUT, DELETE, OPTIONS';
 	set $cors_origin 'https://mempool.space';
@@ -116,6 +146,58 @@ location @mempool-api-v1-services-cache-short {
 	proxy_cache_valid 200 2s;
 }
 
+location @mempool-api-v1-services-cache-short-addcors {
+	proxy_pass $mempoolSpaceServices;
+	proxy_cache services;
+	proxy_redirect off;
+
+	# remove these just in case double proxied
+	proxy_hide_header Onion-Location;
+	proxy_hide_header Strict-Transport-Security;
+	proxy_hide_header Content-Security-Policy;
+	proxy_hide_header X-Frame-Options;
+
+	# pass these headers to services backend
+	proxy_set_header Host $host;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	proxy_set_header X-Forwarded-Proto $scheme;
+
+	# remove cache headers from services backend
+	proxy_hide_header Cache-Control;
+	proxy_hide_header Expires;
+	proxy_hide_header Pragma;
+
+	# generate CORS configuration from origin header
+	set $cors_methods 'GET, POST, PUT, DELETE, OPTIONS';
+	set $cors_origin 'https://mempool.space';
+	set $cors_headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+	set $cors_credentials 'true';
+
+	# set CORS for approved hostnames
+	if ($cors_approved_origin = 'legit')
+	{
+		set $cors_methods 'GET, POST, PUT, DELETE, OPTIONS';
+		set $cors_origin "$http_origin";
+		set $cors_headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With';
+		set $cors_credentials 'true';
+	}
+
+	# set CORS for approved hostnames
+	add_header Access-Control-Allow-Methods "$cors_methods" always;
+	add_header Access-Control-Allow-Origin "$cors_origin" always;
+	add_header Access-Control-Allow-Headers "$cors_headers" always;
+	add_header Access-Control-Allow-Credentials "$cors_credentials" always;
+
+	# add our own cache headers
+	add_header 'Pragma' 'public';
+	add_header 'Cache-Control' 'public';
+	expires 2s;
+
+	# server-side cache validity
+	proxy_cache_valid 200 2s;
+}
+
 location @mempool-api-v1-services-cache-medium {
 	proxy_pass $mempoolSpaceServices;
 	proxy_cache services;