Mautic, NGINX, CORS

jester · October 12, 2017, 2:22am

Hello everyone,

I’m fighting with Mautic integration with my website. I use NGINX webserver, mautic is installed on subdomain https://ma.website.com. Mautic works okay, but mautic integration script on the main website cannot be run due to CORS errors:

Code:

Failed to load https://ma.website.com/index.php/mtc/event: The value of the 'Access-Control-Allow-Credentials' header in the response is 'true, true' which must be 'true' when the request's credentials mode is 'include'. Origin 'https://www.website.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

My Mautic NGINX config:

Code:

server_name ma.website.com; listen *:443 ssl; root /var/www/vhosts/mautic;

ssl_certificate /etc/pki/certs/ma.website.com-bundle.crt;
ssl_certificate_key /etc/pki/certs/ma.website.com.key;

index index.php;

location / {

    try_files $uri $uri/ /index.php?$query_string;
}

sendfile off;

add_header 'Access-Control-Allow-Origin' 'https://www.website.com';
#add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept';
add_header 'Access-Control-Allow-Credentials' 'true';

location ~ .php$ {
    fastcgi_split_path_info ^(.+.php)(/.+)$;
    fastcgi_index   index.php;
	fastcgi_pass    127.0.0.1:9000;
	include         fastcgi_params;
	fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
	fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
	fastcgi_intercept_errors on;
    fastcgi_buffer_size 16k;
    fastcgi_buffers 4 16k;
}

location ~ /.ht {
    deny all;
}

I tried different combinations, but it still doesn't work with NGINX. Does anyone has working solution for that?

Thank you in advance.

jester · October 12, 2017, 2:22am

Hello everyone,

I’m fighting with Mautic integration with my website. I use NGINX webserver, mautic is installed on subdomain https://ma.website.com. Mautic works okay, but mautic integration script on the main website cannot be run due to CORS errors:

Failed to load https://ma.website.com/index.php/mtc/event: The value of the 'Access-Control-Allow-Credentials' header in the response is 'true, true' which must be 'true' when the request's credentials mode is 'include'. Origin 'https://www.website.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

My Mautic NGINX config:

    server_name ma.website.com;
    listen *:443 ssl;
    root /var/www/vhosts/mautic;

    ssl_certificate /etc/pki/certs/ma.website.com-bundle.crt;
    ssl_certificate_key /etc/pki/certs/ma.website.com.key;

    index index.php;

    location / {

        try_files $uri $uri/ /index.php?$query_string;
    }

    sendfile off;
    
    add_header 'Access-Control-Allow-Origin' 'https://www.website.com';
	#add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, OPTIONS';
	add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept';
	add_header 'Access-Control-Allow-Credentials' 'true';
	
    location ~ .php$ {
        fastcgi_split_path_info ^(.+.php)(/.+)$;
        fastcgi_index   index.php;
		fastcgi_pass    127.0.0.1:9000;
		include         fastcgi_params;
		fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
		fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
		fastcgi_intercept_errors on;
        fastcgi_buffer_size 16k;
        fastcgi_buffers 4 16k;
    }

    location ~ /.ht {
        deny all;
	}

I tried different combinations, but it still doesn’t work with NGINX. Does anyone has working solution for that?

Thank you in advance.

fususu · October 12, 2017, 4:55am

Try this…

add_header Access-Control-Allow-Origin *;

jester · October 12, 2017, 5:51am

Thanks fususu, I tried this already and getting the following message:

Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://www.website.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

fususu · October 14, 2017, 4:00am

You add it in the virtual host of that domain? Or the main nginx.conf? In the past I got the similar issue, I added it on the main nginx.conf instead of the virtual host nginx of singular domain. And this may help: https://stackoverflow.com/questions/43114750/header-in-the-response-must-not-be-the-wildcard-when-the-requests-credentia

fususu · October 14, 2017, 5:22am

Also try this if it helps: https://www.mautic.org/community/index.php/7126-cors-error-no-access-control-allow-origin-header-is-present/0

jester · October 16, 2017, 8:47am

Thank you fususu for your help. I turned off CORS checking in Mautic configuration and everything is working fine now.

fususu · October 16, 2017, 8:51am

@jester Congratulation!

Nice to be here with you guys, let’s make a great community!
My blog: https://fususu.com/en/ My fb: https://fb.com/fususuvn

Topic		Replies	Views
Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers. (CORS ) Product Support	3	1073	September 22, 2017
Issues with CORS when trying to configure Mautic 3 and NGinx Mautic 3 - Install/Upgrade Support	21	5742	February 25, 2022
CORS Issues 4.4.4 Product Support	6	676	January 9, 2023
Mautic API with CORS error Product Support	6	926	June 21, 2024
CORS Problems out of the Blue Product Support	26	1119	June 30, 2022

Mautic, NGINX, CORS

Related Topics