使用 Rails5.1 开发环境是没有这个问题的 生产环境有 我不确定这是否是很明显的问题 我确定是 Origin 这个 header 但是一直在用 add_header, 正确的是 proxy_set_header.
Nginx: HTTP Origin header didn't match request.base_url
生产服务器报错
HTTP Origin header (https://www.baseico.com) didn't match request.base_url (http://baseico.com)
HTTP Origin header (https://baseico.com) didn't match request.base_url (http://baseico.com)
HTTP Origin header didn't match request.base_url
Nginx 的配置信息如下
location / {
#proxy_set_header Access-Control-Allow-Origin *;
#proxy_set_header Access-Control-Request-Method *;
#add_header Origin http://$Host;
#add_header Scheme http;
proxy_set_header Origin http://$Host;
proxy_pass http://baseico.com;
proxy_set_header Host $Host;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
正确配置为
location / {
proxy_set_header Origin http://$Host; #正确处理
proxy_pass http://baseico.com;
proxy_set_header Host $Host;
}
报错的地方我在 rails 找到了 在这里https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb 211 行
def verify_authenticity_token # :doc:
mark_for_same_origin_verification!
if !verified_request?
if logger && log_warning_on_csrf_failure
if valid_request_origin?
logger.warn "Can't verify CSRF token authenticity."
else
logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
end
end
handle_unverified_request
end
end
Nginx 配置了 HTTPS,所有的请求都是 https。但是到了 rails 端呢便是 http 了。nginx 的配置里面我尝试了修改某些参数 最终找到了 $Host 表示请求的 host,不包含 scheme 部分,scheme 部分为 http 或者 https 等等
proxy_set_header Origin http://$Host;