Issue with cross server API access

Hello, I am running mender 2.1 on a local Ubuntu 18 machine. I am able to login using the mender gui, web based user interface. And also able to call the APIs using curl command line utility, as described in the documentation.

I am facing issue while accessing mender APIs from the web page hosted on different server. I am getting http 400 error for preflight http OPTIONS request and then CORS error.

As per the documentation mender supports OPTIONS and cross server API access. So I have tested OPTIONS request from curl and it works fine I get 200 ok. But when web browser sends OPTIONS request it fails with http error 400 bad request.

I verified the http header for the request sent from browser, I observed that when “origin” field with url of the page is added to the OPTIONS request then it fails with 400 error.

Is there any additional configuration that need to updated to access mender APIs across the server?

Hello, the Mender API-gateway verifies the request origin and returns 400 Bad Request if the Origin header doesn’t match the list of allowed domains.

You can control this list using the ALLOWED_HOSTS env variable, which defaults in the demo environment to:

ALLOWED_HOSTS: localhost docker.mender.io

Can you please verify the value of this env variable in your deployment?

Hi Tranchitella, thanks for the reply.

In my “docker-compose.demo.yml” file I have below allowed hosts under “mender-api-gateway”

ALLOWED_HOSTS: localhost docker.mender.io

My host server and the mender demo server are running on same machine with port number 8081 and 443 respectively.

To allow requests from my host server (which is running on same machine) I have updated the allowed hosts to have “localhost:8081” but it did not help.

Using the chrome browser I am getting 400 bad request when browser sends preflight OPTIONS request. And the see CORS related error in the console logs.

Can you please check the value of the “Origin” header the browser is sending when making an API call?

Additionally, can you also please enter the api-gateway container (via docker exec) and check the content of the following file: /usr/local/openresty/nginx/conf/nginx.conf? You have a section with the comment:

# validate Origin header if present

Can you please post here the stanza which starts with:

if ($http_origin ~* ...

Thank you!