Added per-user allow_cors config that may be used for tabix

README.md

@@ -165,6 +165,9 @@ users:
     requests_per_minute: 10
     deny_http: true
 
+    # Allow `CORS` requests for `tabix`.
+    allow_cors: true
+
 clusters:
   - name: "stats-raw"
     nodes: [
@@ -357,6 +360,10 @@ users:
     # Whether to deny input requests over HTTP.
     deny_http: true
 
+    # Whether to allow `CORS` requests like `tabix` does.
+    # By default `CORS` requests are denied for security reasons.
+    allow_cors: true
+
     # Requests per minute limit for the given input user.
     requests_per_minute: 4
 

config/README.md

@@ -127,6 +127,10 @@ deny_http: <bool> | optional | default = false
 # Whether to deny https connections for this user
 deny_https: <bool> | optional | default = false
 
+# Whether to allow `CORS` requests for this user.
+# Such requests are needed for `tabix`.
+allow_cors: <bool> | optional | default = false
+
 # List of networks or network_groups access is allowed from
 # Each list item could be IP address or subnet mask
 allowed_networks: <network_groups>, <networks> ... | optional
@@ -180,4 +184,4 @@ name: <string>
 
 # User password to access CH with basic auth
 password: <string> | optional
-```
+```

config/config.go

@@ -356,6 +356,9 @@ type User struct {
 	// Whether to deny https connections for this user
 	DenyHTTPS bool `yaml:"deny_https,omitempty"`
 
+	// Whether to allow CORS requests for this user
+	AllowCORS bool `yaml:"allow_cors,omitempty"`
+
 	// Maximum number of requests per minute for user
 	// if omitted or zero - no limits would be applied
 	ReqPerMin uint32 `yaml:"requests_per_minute,omitempty"`

config/config_test.go

@@ -85,6 +85,7 @@ func TestLoadConfig(t *testing.T) {
 						ToCluster: "first cluster",
 						ToUser:    "web",
 						DenyHTTP:  true,
+						AllowCORS: true,
 						ReqPerMin: 4,
 					},
 					{

config/examples/https.yml

@@ -14,6 +14,9 @@ users:
     requests_per_minute: 10
     deny_http: true
 
+    # Allow `CORS` requests for `tabix`.
+    allow_cors: true
+
 clusters:
   - name: "stats-raw"
     nodes: [
@@ -24,4 +27,4 @@ clusters:
     ]
     users:
       - name: "web"
-        password: "****"
+        password: "****"

config/testdata/full.yml

@@ -74,6 +74,10 @@ users:
     # Whether to deny input requests over HTTP.
     deny_http: true
 
+    # Whether to allow `CORS` requests like `tabix` does.
+    # By default `CORS` requests are denied for security reasons.
+    allow_cors: true
+
     # Requests per minute limit for the given input user.
     requests_per_minute: 4
 

proxy.go

@@ -53,6 +53,13 @@ func (rp *reverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer s.dec()
 
+	if s.user.allowCORS {
+		origin := req.Header.Get("Origin")
+		if len(origin) > 0 {
+			rw.Header().Set("Access-Control-Allow-Origin", origin)
+		}
+	}
+
 	timeStart := time.Now()
 	req = s.decorateRequest(req)
 
@@ -177,6 +184,7 @@ func (rp *reverseProxy) ApplyConfig(cfg *config.Config) error {
 			toUser:               u.ToUser,
 			denyHTTP:             u.DenyHTTP,
 			denyHTTPS:            u.DenyHTTPS,
+			allowCORS:            u.AllowCORS,
 			toCluster:            u.ToCluster,
 			reqPerMin:            u.ReqPerMin,
 			allowedNetworks:      u.AllowedNetworks,

scope.go

@@ -159,6 +159,8 @@ type user struct {
 	toCluster       string
 	denyHTTP        bool
 	denyHTTPS       bool
+	allowCORS bool
+
 	allowedNetworks config.Networks
 
 	name, password       string