Opened 5 years ago
Closed 4 years ago
#2427 closed task (fixed)
issue with fonts showing on staging.grass.osgeo.org, allow origin update
| Reported by: | robe | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2020-I |
| Component: | SysAdmin | Keywords: | |
| Cc: | neteler |
Description
This is confirmed by (no Access-Control-Allow-Origin: *: in the response)
curl -I https://staging.grass.osgeo.org/plugins/fontawesome/fonts/fontawesome-webfont.ttf?v=4.7.0
@neteler I suggest to edit the nginx config as follow, in order to get rid of those errors
if ($filename ~* .*?\.(eot)|(ttf)|(woff)|(woff2) $){
add_header Access-Control-Allow-Origin *;
}
Change History (11)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
neteler,
I added these fonts to the nginx allowed mime-types. Guess ttf is not included by default.
Now I see this
Server: nginx/1.14.0 (Ubuntu) Date: Sun, 22 Mar 2020 13:20:00 GMT Content-Type: font/ttf Content-Length: 165548 Connection: keep-alive Last-Modified: Sat, 07 Dec 2019 17:14:50 GMT ETag: "286ac-599204cd7bade" Accept-Ranges: bytes Access-Control-Allow-Origin: https://staging.grass.osgeo.org Front-End-Https: on
Is that sufficient or you really need it to be *
comment:3 by , 5 years ago
For reference -- I changed the /etc/nginx/mime-types on the osgeo7 nginx proxy container.
https://git.osgeo.org/gitea/sac/osgeo7/commit/99b374426f135f5371ad25fe8ba0d169da35680b
diff --git a/etc/nginx/mime.types b/etc/nginx/mime.types
index 89be9a4..d4c9c4b 100644
--- a/etc/nginx/mime.types
+++ b/etc/nginx/mime.types
@@ -25,6 +25,9 @@ types {
image/webp webp;
application/font-woff woff;
+ application/font-woff2 woff2;
+ application/x-font-ttf ttc ttf;
+ application/x-font-otf otf;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
The other ones were already in there. before the change there was no Access-Control-Allow-Origin: line showing in the head call. This as a result will take effect for all proxied sites which I think is desirable.
comment:4 by , 5 years ago
| Cc: | added |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
neteler,
I think this is all set right? Feel free to reopen if you still have issues.
comment:5 by , 4 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
We are seeing issues with mirror sites: https://github.com/OSGeo/grass-website/issues/22. IIUC, in order for CORS to work here (i.e. mirror sites accessing the fontawesome fonts from the original grass site), the Access-Control-Allow-Origin header would have to be set to '*' instead of 'https://staging.grass.osgeo.org'.
For that, it seems that something like this would do the trick in the Apache virtualhost config:
<FilesMatch ".(eot|otf|ttf|woff|woff2)"> Header always set Access-Control-Allow-Origin "*" </FilesMatch>
Would it be possible to try this ?
follow-up: 7 comment:6 by , 4 years ago
On the grasslxd server, in /etc/apache2/sites-enabled/000-default.conf there is already for a while:
<VirtualHost *:80>
...
<FilesMatch ".(eot|ttf|otf|woff|woff2)">
Header set Access-Control-Allow-Origin "https://staging.grass.osgeo.org"
</FilesMatch>
# https://trac.osgeo.org/osgeo/ticket/2428#comment:3
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy nginx.lxd
</VirtualHost>
Shall I change that to the suggestion in comment:5 ?
comment:7 by , 4 years ago
Replying to neteler:
On the grasslxd server, in
/etc/apache2/sites-enabled/000-default.confthere is already for a while:<VirtualHost *:80> ... <FilesMatch ".(eot|ttf|otf|woff|woff2)"> Header set Access-Control-Allow-Origin "https://staging.grass.osgeo.org" </FilesMatch> # https://trac.osgeo.org/osgeo/ticket/2428#comment:3 RemoteIPHeader X-Real-IP RemoteIPInternalProxy nginx.lxd </VirtualHost>Shall I change that to the suggestion in comment:5 ?
Yes, please. AFAIU, the
Header set Access-Control-Allow-Origin "https://staging.grass.osgeo.org"
limits the access to these fonts to requests coming from staging.grass.osgeo.org. However, we want access to be granted to all mirror sites as well. Using '*' is the easiest option. Another would be to gather all mirror site domains and list them explicitly. Don't know how feasible that would be.
comment:9 by , 4 years ago
Replying to neteler:
ok I have changed to "*" and restarted apache.
That seems to solve the issue for me.
I have just changed that (it is an Apache server), see https://github.com/OSGeo/grass-website/issues/26
But surprisingly, there is no SSL certificate (configured) within the server. Hence all sub-pages are delivered in http and not https. Where to fix that?