[ES 5.0] PUT/POST are forbidden if enable CORS


(Xudong You) #1

I set up an ES 5.0 cluster. To allow HEAD to access ES cluster, I enabled the CORS with following configs:

http.cors.enabled: true
http.cors.allow-origin: /https?://.+?(:[0-9]+)?/

After cors is enabled, all GET method work fine, but POST and PUT always failed with 403 - forbidden error.

What I missed?


(Alexander Reelsen) #2

Hey,

do you have an example request that works and one that does not (so one can reproduce this using curl?), also there is a http.cors.allow-methods, that supports PUT and POST as well, but maybe it is overwritten?

Can you paste the output of curl -v 'localhost:9200/_nodes/settings?filter_path=**.cors'

--Alex


(Xudong You) #3

I used ES 5.0.1

Here is the output of settings?filter_path=**.cors

{
"nodes": {
"moATbDqlR7iaZfoagXIoag": {
"settings": {
"http": {
"cors": {
"allow-origin": "/https?:\/\/.+?(:[0-9]+)?/",
"enabled": "true"
}
}
}
}
}
}

Example request that work:
GET http://localhost:9200/_search

And example request not work
PUT http://localhost:9200/testindex
{
"mappings": {
"docs": {
"properties": {
"title": {
"type": "text"
}
}
}
}
}


(Alexander Reelsen) #4

Hey,

Can you provide original requests including the headers, so we can reproduce them via curl and see what happens. Also the responses are not pasted here, so the error message cannot be seen.

Thanks!

--Alex


(Xudong You) #5

hi Alex
I have identified the root cause why I got 403 forbidden error for all POST and PUT requests after trying repro using cURL.

It is because I used postman to send request to my cluster, and postman by default will always append the Origin header for POST and PUT request with following value:
chrome-extension://xxxxxx

And it does not match the allowed origin setting in my elasticsearch.yml:
http.cors.allow-origin: /https?://.+?(:[0-9]+)?/

So got 403 forbidden.

With cURL, I did not append any header in request, so worked as expected.

Thanks your help!


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.