feature: add CORS_ALLOW_PRIVATE_NETWORK_ACCESS env var

This is needed to be able to access internal IP ranges from a publicly
available website, e.g. sourcemaps.

https://developer.chrome.com/blog/private-network-access-preflight/

Dockerfile.buildkit.plus

@@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h"
 ENV PROXY_CACHE_VALID_NOTFOUND "1m"
 ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
 ENV CORS_ENABLED 0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
 ENV DIRECTORY_LISTING_PATH_PREFIX ""
 ENV STRIP_LEADING_DIRECTORY_PATH ""
 ENV PREFIX_LEADING_DIRECTORY_PATH ""

Dockerfile.oss

@@ -10,6 +10,7 @@ ENV PROXY_CACHE_VALID_OK "1h"
 ENV PROXY_CACHE_VALID_NOTFOUND "1m"
 ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
 ENV CORS_ENABLED 0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
 ENV DIRECTORY_LISTING_PATH_PREFIX ""
 ENV STRIP_LEADING_DIRECTORY_PATH ""
 ENV PREFIX_LEADING_DIRECTORY_PATH ""

Dockerfile.plus

@@ -12,6 +12,7 @@ ENV PROXY_CACHE_VALID_OK "1h"
 ENV PROXY_CACHE_VALID_NOTFOUND "1m"
 ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
 ENV CORS_ENABLED 0
+ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
 ENV DIRECTORY_LISTING_PATH_PREFIX ""
 ENV STRIP_LEADING_DIRECTORY_PATH ""
 ENV PREFIX_LEADING_DIRECTORY_PATH ""

common/docker-entrypoint.d/00-check-for-required-env.sh

@@ -135,3 +135,4 @@ echo "Provide Index Pages Enabled: ${PROVIDE_INDEX_PAGE}"
 echo "Append slash for directory enabled: ${APPEND_SLASH_FOR_POSSIBLE_DIRECTORY}"
 echo "Stripping the following headers from responses: x-amz-;${HEADER_PREFIXES_TO_STRIP}"
 echo "CORS Enabled: ${CORS_ENABLED}"
+echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"

common/etc/nginx/templates/gateway/cors.conf.template

@@ -1,5 +1,15 @@
 set $request_cors "${request_method}_${CORS_ENABLED}";
 
+set $cors_private_network '${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}';
+
+if ($cors_private_network = 'true') {
+    set $allow_cors_private_network 'true';
+}
+
+if ($cors_private_network = 'false') {
+    set $allow_cors_private_network 'false';
+}
+
 if ($request_cors = "OPTIONS_1") {
     add_header 'Access-Control-Allow-Origin' '${CORS_ALLOWED_ORIGIN}';
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
@@ -11,6 +21,12 @@ if ($request_cors = "OPTIONS_1") {
     # Tell client that this pre-flight info is valid for 20 days
     #
     add_header 'Access-Control-Max-Age' 1728000;
+    #
+    # Allow/deny Private Network Access CORS requests.
+    # https://developer.chrome.com/blog/private-network-access-preflight/
+    #
+    add_header 'Access-Control-Allow-Private-Network' $allow_cors_private_network;
+
     add_header 'Content-Type' 'text/plain; charset=utf-8';
     add_header 'Content-Length' 0;
     return 204;

docs/getting_started.md

@@ -44,6 +44,7 @@ running as a Container or as a Systemd service.
 | `CORS_ALLOWED_ORIGIN`                 | No        |                              |           | value to set to be returned from the CORS `Access-Control-Allow-Origin` header. This value is only used if CORS is enabled. (default: \*)                                                                                                                                                                                                                                                                                                                    |
 | `STRIP_LEADING_DIRECTORY_PATH`        | No        |                              |           | Removes a portion of the path in the requested URL (if configured). Useful when deploying to an ALB under a folder (eg. www.mysite.com/somepath).                                                                                                                                                                                                                                                                                                            |
 | `PREFIX_LEADING_DIRECTORY_PATH`       | No        |                              |           | Prefix to prepend to all S3 object paths. Useful to serve only a subset of an S3 bucket. When used in combination with `STRIP_LEADING_DIRECTORY_PATH`, this allows the leading path to be replaced, rather than just removed.                                                                                                                                                                                                                                |
+| `CORS_ALLOW_PRIVATE_NETWORK_ACCESS`   | No        | `true`, `false`              |           | Flag that enables responding to the CORS OPTIONS pre-flight request header `Access-Control-Request-Private-Network` with the `Access-Control-Allow-Private-Network` header. If the value is "true", responds with "true", if "false" responds with "false". If the environment variable is blank/not set, does not respond with any header. This value is only used if CORS is enabled. See [Private Network Access: introducing preflights](https://developer.chrome.com/blog/private-network-access-preflight/) for more information about this header. |
 
 If you are using [AWS instance profile credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html),
 you will need to omit the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` variables from

standalone_ubuntu_oss_install.sh

@@ -97,6 +97,7 @@ echo "Proxy Caching Time for Valid Response: ${PROXY_CACHE_VALID_OK}"
 echo "Proxy Caching Time for Not Found Response: ${PROXY_CACHE_VALID_NOTFOUND}"
 echo "Proxy Caching Time for Forbidden Response: ${PROXY_CACHE_VALID_FORBIDDEN}"
 echo "CORS Enabled: ${CORS_ENABLED}"
+echo "CORS Allow Private Network Access: ${CORS_ALLOW_PRIVATE_NETWORK_ACCESS}"
 
 set -o nounset   # abort on unbound variable