No 'Access-Control-Allow-Origin' header is present on requested resource

Our elasticsearch setup has the following cors settings in elasticsearch.yml:

http.cors.enabled: true
http.cors.allow-credentials: true
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers: "X-Requested-With,Content-Type,Content-Length,x-user"

If we run the following curl command on our server:

curl -H "User-Agent: Mozilla" -H "Origin: http://example.com" -i localhost:9200

we get the correct headers:

HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 533
access-control-allow-origin: *
access-control-allow-credentials: true

However, when we load our webpage with the following ajax call:

var postData = {
"size": 50,
"query": {
  "multi_match": {
    "query": request.term.toLowerCase(),
    "type": "bool_prefix",
    "fields": [
      "product",
      "product._2gram",
      "product._3gram"
    ]
  }
}
};
$.ajax({
url: "http://localhost:9200/products/_doc/_search",
type: "GET",
headers: {"X-User": "user"},
contentType: "application/json; charset=utf-8",
data: JSON.stringify(postData),
dataType: 'json',            
success: function (data) {
  console.log(data);
  var hitsJson = (data.hits.hits);
  for (var key in hitsJson) {
    arr.push(hitsJson[key]._source.product);
  }
  response(arr);
  console.log(arr);
},
error: function (xhr) {
  alert("err");
  alert(JSON.stringify(xhr));
}

});

we receive an error:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

and the response headers are missing "access-control-allow-origin: *", this is the response:

Allow: DELETE,POST,PUT,HEAD,GET
content-length: 0
content-type: text/plain; charset=UTF-8

Request headers are as follows:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,de;q=0.7
Access-Control-Request-Headers: content-type,x-user
Access-Control-Request-Method: POST
Connection: keep-alive
Host: localhost:9200This text will be hidden
Origin: http://our_IP
Referer: http://our_IP/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/86.0.4240.111 Safari/537.36

The webpage with above ajax works fine and we obtain json data with correct response headers - access-control-allow-origin: *, if we add "network.host: our_IP" in elasticsearch.yml and change "url: "http://localhost:9200/products/_doc/_search"
in above ajax call to "url: "http://our_IP:9200/products/_doc/_search".

But if possible we would prefer to not use the "network.host: our_IP" option in elasticsearch.yml.

We would be very grateful if somebody could help us on this problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.