Hi,
I have a site in wordpress (say www.example.com) with subdomains for varius languages, (say en.example.com, fr.example.com) and I need that Cors works correctly for all my subdomains but the browsers (Chrome, Firefox) return the following error:
"Access to font at 'https://www.example.com/wp-content/themes/example/fonts/fontawesome-webfont.woff2?v=4.5.0' from origin 'https://en.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
My server conf is:
server {
listen 80;
server_name www.example.com example.com;
server_name en.example.com fr.example.com de.example.com;
#return 301 https://www.example.com$request_uri;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com example.com en.example.com fr.example.com de.example.com;
root /webServer/siti/exampleCOM;
allow all;
#deny all;
ssl on;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 90m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/conf.d/redirections/rewriteexampleCOM;
include /webServer/sites/exampleCOM/nginx.conf;
# CORS START
set $origin_http "";
if ($http_origin ~* (.*\.example.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.google.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.twitter.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.facebook.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.facebook.net)) {
set $origin_http "*";
}
# CORS END
location /wp-content {
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origine_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml|woff2|woff|ttf)$ {
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origine_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
location / {
try_files $uri $uri/ /index.php?$args;
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origin_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
expires off;
}
######################
# Permalinks
if (!-e $request_filename) {
rewrite ^/files(.*) /wp-includes/ms-files.php?file=$1 last;
rewrite ^(/[^/]+)?(/wp-.*) $2 last;
rewrite ^(/[^/]+)?(/.*.php) $2 last;
rewrite ^.*$ /index.php last;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) {
deny all;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
expires off; ## Do not cache dynamic content
# SECURITY : Zero day Exploit Protection
try_files $uri =404;
# ENABLE : Enable PHP, listen fpm sock
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# PHP 5.6
#fastcgi_pass unix:/var/run/php/php5.6-fpm-example.sock;
# PHP 7.3
fastcgi_pass unix:/var/run/php/php7.3-fpm-exampleCOM.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 360;
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origin_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
}
Where do I make errors?
Thank you
I have a site in wordpress (say www.example.com) with subdomains for varius languages, (say en.example.com, fr.example.com) and I need that Cors works correctly for all my subdomains but the browsers (Chrome, Firefox) return the following error:
"Access to font at 'https://www.example.com/wp-content/themes/example/fonts/fontawesome-webfont.woff2?v=4.5.0' from origin 'https://en.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
My server conf is:
server {
listen 80;
server_name www.example.com example.com;
server_name en.example.com fr.example.com de.example.com;
#return 301 https://www.example.com$request_uri;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com example.com en.example.com fr.example.com de.example.com;
root /webServer/siti/exampleCOM;
allow all;
#deny all;
ssl on;
ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 90m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
include /etc/nginx/conf.d/redirections/rewriteexampleCOM;
include /webServer/sites/exampleCOM/nginx.conf;
# CORS START
set $origin_http "";
if ($http_origin ~* (.*\.example.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.google.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.twitter.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.facebook.com)) {
set $origin_http "*";
}
if ($http_origin ~* (.*\.facebook.net)) {
set $origin_http "*";
}
# CORS END
location /wp-content {
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origine_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml|woff2|woff|ttf)$ {
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origine_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
location / {
try_files $uri $uri/ /index.php?$args;
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origin_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
expires off;
}
######################
# Permalinks
if (!-e $request_filename) {
rewrite ^/files(.*) /wp-includes/ms-files.php?file=$1 last;
rewrite ^(/[^/]+)?(/wp-.*) $2 last;
rewrite ^(/[^/]+)?(/.*.php) $2 last;
rewrite ^.*$ /index.php last;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ {
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
return 444;
}
location ~ /(\.|wp-config\.php|readme\.html|license\.txt) {
deny all;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
location ~ \.php$ {
expires off; ## Do not cache dynamic content
# SECURITY : Zero day Exploit Protection
try_files $uri =404;
# ENABLE : Enable PHP, listen fpm sock
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# PHP 5.6
#fastcgi_pass unix:/var/run/php/php5.6-fpm-example.sock;
# PHP 7.3
fastcgi_pass unix:/var/run/php/php7.3-fpm-exampleCOM.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 360;
# CORS START
add_header 'Access-Control-Allow-Credentials' 'false' always;
add_header "Access-Control-Allow-Origin" "$origin_http" always;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD" always;
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept" always;
# CORS END
}
}
Where do I make errors?
Thank you