add post: CORS support in Sinatra Rack environment

1 files changed, 96 insertions, 0 deletions

diff --git a/_posts/2015-06-02-cors-support-in-sinatra-rack-environment.md b/_posts/2015-06-02-cors-support-in-sinatra-rack-environment.md
new file mode 100644
index 0000000..e10d239
--- /dev/null
+++ b/_posts/2015-06-02-cors-support-in-sinatra-rack-environment.md
@@ -0,0 +1,96 @@
+---
+layout: post
+title: "CORS support in Sinatra Rack environment"
+description: "How to add CORS support to Sinatra Rack environment, Nginx or Apache2."
+category: Installation
+tags: [Setup, apache, Nginx, ruby]
+---
+{% include JB/setup %}
+**This post explains how to enable CORS support to Sinatra Rack environment, Nginx or Apache2.**
+
+**see also:** 
+
+  * [http://en.wikipedia.org/wiki/Cross-origin_resource_sharing](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
+  * [http://enable-cors.org/server.html](http://enable-cors.org/server.html) 
+
+CORS support for webservers 
+---------------------------
+to deliver static webpages with a webserver:
+
+add headers in Apache2:
+
+        Header set Access-Control-Allow-Origin "*"
+        Header set Access-Control-Allow-Credentials true
+        Header set Access-Control-Allow-Methods "GET, POST, DELETE, PUT, PATCH, OPTIONS"
+        Header set Access-Control-Allow-Headers "Content-Type, api_key, Authorization"
+
+add headers in nginx:
+
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, PATCH, OPTIONS';
+        add_header 'Access-Control-Allow-Credentials' 'true';
+        add_header 'Access-Control-Allow-Origin' "*";
+        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, api_key, Authorization';
+
+CORS support in Sinatra Rack environment
+----------------------------------------
+
+add to Gemfile:
+
+```ruby
+    gem 'rack-cors', :require => 'rack/cors'
+```
+
+in application code add header to routes:
+
+```ruby
+    class Application < Service
+  
+      use Rack::Cors do |config|
+        config.allow do |allow|
+           allow.origins '*'
+           allow.resource '/file/list_all/', :headers => :any
+           allow.resource '/file/at/*',
+             :methods => [:get, :post, :put, :delete],
+             :headers => :any,
+             :max_age => 0
+           allow.resource '/compound/*',
+             :methods => [:get, :post],
+             :headers => :any,
+             :max_age => 0
+        end
+      end
+```
+
+**NOTE:** headers shouldn't be set both in webserver and rack. 
+Otherwise you have doubled values and it didn't work for some applications:
+e.g.: `Access-Control-Allow-Credentials: true, true` 
+
+CORS support in OpenTox ruby applications 
+-----------------------------------------
+to have a configurable CORS support to opentox ruby webservices we can add a switch to the already existing configuration file `.opentox/config/default.rb` entry of a specific webservice. 
+e.g.: in the definition of the compound webservice add `:cors => true` to enable CORS.
+
+```ruby 
+  $compound = { :uri => "https://myserver_name/compound", :cors => true }
+```
+
+and add modified application code to the opentox-server gem to deploy it to all webservices: 
+
+```ruby
+    class Application < Service
+
+    # add CORS support for swagger
+    if eval("$#{SERVICE}[:cors]") == true
+      use Rack::Cors do |config|
+        config.allow do |allow|
+           allow.origins '*'
+           allow.resource "/#{SERVICE}/*",
+             :methods => [:get, :post, :put, :delete, :patch, :options],
+             :headers => :any,
+             :max_age => 0
+        end
+      end
+    end
+```
+this works in Unicorn-Rack-Sinatra environment behind an Apache or Nginx proxy. Apache or Nginx do not add headers. 
+