add BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN setting (#611)

fmigneault · web-flow · commit a839d0b2e271 · 2025-12-05T14:38:06.000-05:00
## Overview

Add `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN` setting.


## Changes

**Non-breaking changes**
- Proxy: Allow `Access-Control-Allow-Origin` header to be configured using `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN` variable.
  - The `cors.include` file is converted to a `cors.include.template` file to allow variable expansion.
  - The default `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN="*"` is used to retain the previous behaviour.
  - The `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN` variable can reference other variables to allow dynamic configuration
    (notably, to reference `BIRDHOUSE_FQDN_PUBLIC` for same-origin allowance).
  - Align the documentation with corresponding `STAC_CORS_ORIGINS` header implications.
  - Avoids Nginx warnings flagged from using uninitialized `access_control_allow_origin` variable.
diff --git a/.bumpversion.toml b/.bumpversion.toml
@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "2.18.15"
+current_version = "2.18.16"
 commit = true
 tag = false
 tag_name = "{new_version}"
diff --git a/CHANGES.md b/CHANGES.md
@@ -17,12 +17,27 @@
 
 [//]: # (list changes here, using '-' for each new entry, remove this when items are added)
 
+[2.18.16](https://github.com/bird-house/birdhouse-deploy/tree/2.18.16) (2025-12-05)
+------------------------------------------------------------------------------------------------------------------
+
+## Changes
+
+- Proxy: Allow `Access-Control-Allow-Origin` header to be configured using `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN` variable.
+  - A `defaults.include.template` file is introduced to setup global nginx server defaults that can be overridden
+    by more specialized definitions in `location` blocks of components.
+  - The default `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN="*"` is used to retain the previous behaviour.
+  - The `BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN` variable can reference other variables to allow dynamic configuration
+    (notably, to reference `BIRDHOUSE_FQDN_PUBLIC` for same-origin allowance).
+  - Align the documentation with corresponding `STAC_CORS_ORIGINS` header implications.
+  - Avoids Nginx warnings flagged from using uninitialized `access_control_allow_origin` variable
+    (fixes https://github.com/bird-house/birdhouse-deploy/issues/610).
+
 [2.18.15](https://github.com/bird-house/birdhouse-deploy/tree/2.18.15) (2025-12-01)
 ------------------------------------------------------------------------------------------------------------------
 
 ## Changes
 
-- README: remind the user to source control `env.local` securely as it may contains passwords.
+- README: remind the user to source control `env.local` securely as it may contain passwords.
 
 ## Fixes
 
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ override BIRDHOUSE_MAKE_DIR := $(shell realpath -P $$(dirname $(BIRDHOUSE_MAKE_C
 # Generic variables
 override SHELL       := bash
 override APP_NAME    := birdhouse-deploy
-override APP_VERSION := 2.18.15
+override APP_VERSION := 2.18.16
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")
diff --git a/README.rst b/README.rst
@@ -18,13 +18,13 @@ for a full-fledged production platform.
     * - citation
       - | |citation|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.18.15.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.18.16.svg
     :alt: Commits since latest release
-    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.18.15...master
+    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.18.16...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-2.18.15-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-2.18.16-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.18.15
+    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.18.16
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
     :alt: ReadTheDocs Build Status (latest version)
diff --git a/RELEASE.txt b/RELEASE.txt
@@ -1 +1 @@
-2.18.15 2025-12-01T18:03:36Z
+2.18.16 2025-12-05T19:37:01Z
diff --git a/birdhouse/components/README.rst b/birdhouse/components/README.rst
@@ -723,24 +723,26 @@ How to Enable the Component
 STAC Browser
 ============
 
-STAC Browser is a web UI used to interact with the STAC API. 
+STAC Browser is a web UI used to interact with the STAC API.
 
 Usage
 -----
 
-The STAC API can be browsed via the ``stac-browser`` component. By default, the browser will point to the STAC API 
+The STAC API can be browsed via the ``stac-browser`` component. By default, the browser will point to the STAC API
 exposed by the current ``components/stac`` service. 
-Once this component is enabled, the STAC browser will be available at the ``https://<BIRDHOUSE_FQDN_PUBLIC>/stac-browser`` 
-endpoint
+Once this component is enabled, the STAC browser will be available
+at the ``https://<BIRDHOUSE_FQDN_PUBLIC>/stac-browser`` endpoint.
 
-If your STAC API contains geojson data, it is recommended to set the ``STAC_CORS_ORIGINS`` value to accept the origin
-``https://geojson.io`` since the STAC Browser offers a link to open geojson data at this URL. 
+If your STAC API contains GeoJSON data, it is recommended to set the ``STAC_CORS_ORIGINS`` value to accept the origin
+``https://geojson.io`` since the STAC Browser offers a link to open GeoJSON data at this URL.
 Note that you do not need to change the ``STAC_CORS_ORIGINS`` value from the default (which accepts all origins), but
 if you have changed it please update it to include this origin as well.
+If using ``BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN`` overrides, it is also recommended to reference its value within
+``STAC_CORS_ORIGINS`` to ensure consistency across the stack.
 
 For example:
 
-.. code::shell
+.. code-block:: shell
 
   # If the STAC_CORS_ORIGINS is currently
   export STAC_CORS_ORIGINS='http://example.com ~http:(www|other)\.api\.example\.com'
diff --git a/birdhouse/components/canarie-api/docker_configuration.py.template b/birdhouse/components/canarie-api/docker_configuration.py.template
@@ -108,8 +108,8 @@ SERVICES = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.18.15',
-            'releaseTime': '2025-12-01T18:03:36Z',
+            'version': '2.18.16',
+            'releaseTime': '2025-12-05T19:37:01Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',
@@ -141,8 +141,8 @@ PLATFORMS = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.18.15',
-            'releaseTime': '2025-12-01T18:03:36Z',
+            'version': '2.18.16',
+            'releaseTime': '2025-12-05T19:37:01Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',
diff --git a/birdhouse/components/proxy/conf.d/.gitignore b/birdhouse/components/proxy/conf.d/.gitignore
@@ -1,5 +1,6 @@
 frontend.conf
 all-services.include
+defaults.include
 
 # from private config
 lb_catalog.conf
diff --git a/birdhouse/components/proxy/conf.d/all-services.include.template b/birdhouse/components/proxy/conf.d/all-services.include.template
@@ -34,5 +34,8 @@
         return 302 ${BIRDHOUSE_DOC_URL};
     }
 
+    # server defaults if not overridden in specific location blocks
+    include /etc/nginx/conf.d/defaults.include;
+
     # for other extra components to extend Nginx
     include /etc/nginx/conf.extra-service.d/*/*.conf;
diff --git a/birdhouse/components/proxy/conf.d/cors.include b/birdhouse/components/proxy/conf.d/cors.include
@@ -1,41 +1,43 @@
-      proxy_hide_header 'Access-Control-Allow-Origin';
+    proxy_hide_header 'Access-Control-Allow-Origin';
 
-     if ( $access_control_allow_origin ~ "^$" ) {
-        set $access_control_allow_origin '*';
-     }
+    # assumes that the server default is configured or overriden by a specific location block as needed
+    # if explicitly set to empty, align it with the standard value allowing any origin
+    if ( $access_control_allow_origin ~ "^$" ) {
+       set $access_control_allow_origin '*';
+    }
 
-     set $vary_origin ""; # nginx will omit this header value if set to the empty string
-     if ( $access_control_allow_origin != '*' ) {
-        set $vary_origin Origin;
-     }
+    set $vary_origin ""; # nginx will omit this header value if set to the empty string
+    if ( $access_control_allow_origin != '*' ) {
+       set $vary_origin Origin;
+    }
 
-     if ($request_method = 'OPTIONS') {
-        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
-        add_header Vary $vary_origin;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        #
-        # Custom headers and headers various browsers *should* be OK with but aren't
-        #
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        #
-        # Tell client that this pre-flight info is valid for 20 days
-        #
-        add_header 'Access-Control-Max-Age' 1728000;
-        add_header 'Content-Type' 'text/plain; charset=utf-8';
-        add_header 'Content-Length' 0;
-        return 204;
-     }
-     if ($request_method = 'POST') {
-        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
-        add_header Vary $vary_origin;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-     }
-     if ($request_method = 'GET') {
-        add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
-        add_header Vary $vary_origin;
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
-        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
-     }
+    if ($request_method = 'OPTIONS') {
+       add_header 'Vary' $vary_origin;
+       add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
+       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+       #
+       # Custom headers and headers various browsers *should* be OK with but aren't
+       #
+       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+       #
+       # Tell client that this pre-flight info is valid for 20 days
+       #
+       add_header 'Access-Control-Max-Age' 1728000;
+       add_header 'Content-Type' 'text/plain; charset=utf-8';
+       add_header 'Content-Length' 0;
+       return 204;
+    }
+    if ($request_method = 'POST') {
+       add_header 'Vary' $vary_origin;
+       add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
+       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+       add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+    }
+    if ($request_method = 'GET') {
+       add_header 'Vary' $vary_origin;
+       add_header 'Access-Control-Allow-Origin' $access_control_allow_origin;
+       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+       add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
+    }
diff --git a/birdhouse/components/proxy/conf.d/defaults.include.template b/birdhouse/components/proxy/conf.d/defaults.include.template
@@ -0,0 +1,3 @@
+    # These defaults are set at the server level and can be overridden by location blocks
+
+    set $access_control_allow_origin "${BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN}";
diff --git a/birdhouse/components/proxy/default.env b/birdhouse/components/proxy/default.env
@@ -6,6 +6,15 @@ export PROXY_IMAGE="nginx:1.23.4"
 # Any WPS processes taking longer than this should use async mode.
 export PROXY_READ_TIMEOUT_VALUE="240s"
 
+# CORS settings for the proxy to control which origins are allowed to access the service endpoints.
+# Set to "*" to allow all origins by default.
+# If explicitly set to empty string or omitted, it will also employ "*" by default.
+# If you want to restrict access, set this to the space-delimited allowed domain(s).
+# Can use other variables if needed (e.g.: '${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN_PUBLIC}').
+# Consider that adjusting this parameter could require other CORS-related settings to be adjusted as well
+# for specific components, such as the 'STAC_CORS_ORIGINS' variable for STAC. Refer to its documentation for details.
+export BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN="*"
+
 export BIRDHOUSE_HTTP_ONLY="False"
 export BIRDHOUSE_PROXY_SCHEME='$([ x"$BIRDHOUSE_HTTP_ONLY" = x"True" ] && echo http || echo https )'
 export BIRDHOUSE_ALLOW_UNSECURE_HTTP='$([ x"$BIRDHOUSE_HTTP_ONLY" = x"True" ] && echo True || echo )'
@@ -38,6 +47,7 @@ export DELAYED_EVAL="
   PROXY_INCLUDE_HTTPS
   PROXY_INCLUDE_FOR_PORT_80
   BIRDHOUSE_PROXY_ROOT_LOCATION
+  BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN
 "
 
 # add any new variables not already in 'VARS' or 'OPTIONAL_VARS' that must be replaced in templates here
@@ -47,6 +57,7 @@ export VARS="
   \$BIRDHOUSE_DEPLOY_SERVICES_JSON
   \$BIRDHOUSE_VERSION_JSON
   \$BIRDHOUSE_PROXY_SCHEME
+  \$BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN
 "
 
 export OPTIONAL_VARS="
diff --git a/birdhouse/components/stac/default.env b/birdhouse/components/stac/default.env
@@ -53,6 +53,8 @@ export PYSTAC_STAC_VERSION_OVERRIDE=1.0.0
 # https://example.com and http://other.example.com will get a response with the Access-Control-Allow-Origin header set
 # to their origin, but http://example.ca will not.
 # By default all origins are allowed. Set STAC_CORS_ORIGINS in the local environment file to limit the allowed origins.
+# Default is aligned with BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN="*", any adjustment there should be reflected here too.
+# However, this is left as manual step to allow flexibility in case a different CORS policy is desired for STAC.
 export STAC_CORS_ORIGINS="~.*"
 export STAC_ADDITIONAL_CORS_ORIGINS='$(for origin in $STAC_CORS_ORIGINS; do echo "$origin \$http_origin;"; done;)'
 
diff --git a/birdhouse/env.local.example b/birdhouse/env.local.example
@@ -110,7 +110,7 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 #"
 
 #############################################################
-# Scheduler Job variables
+# Scheduler Job and autodeploy variables
 #############################################################
 
 # If the scheduler component is enabled in BIRDHOUSE_EXTRA_CONF_DIRS you can select which jobs you
@@ -124,7 +124,7 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 # Extra repos, than the current repo, the autodeploy should keep up-to-date.
 # Any changes to these extra repos will also trigger autodeploy.
 #
-# Useful to save the instanciated version of this env.local config file and
+# Useful to save the instantiated version of this env.local config file and
 # any custom docker-compose-extra.yml from the previous BIRDHOUSE_EXTRA_CONF_DIRS var.
 #
 # Note:
@@ -214,6 +214,10 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 # and the local environment file).
 #SCHEDULER_JOB_BACKUP_ARGS='-a \* -u \* -l \* --birdhouse-logs --local-env-file'
 
+#############################################################
+# proxy access variables
+#############################################################
+
 # Content of "location /" in file config/proxy/conf.d/all-services.include.template
 # Useful to have a custom homepage.
 # Default:
@@ -249,6 +253,19 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 #
 #export BIRDHOUSE_ALLOW_UNSECURE_HTTP=""
 
+# CORS settings for the proxy to control which origins are allowed to access the service endpoints.
+# Set to "*" to allow all origins by default.
+# If explicitly set to empty string or omitted, it will also employ "*" by default.
+# If you want to restrict access, set this to the space-delimited allowed domain(s).
+# Can use other variables if needed (e.g.: '${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN_PUBLIC}').
+# Consider that adjusting this parameter could require other CORS-related settings to be adjusted as well
+# for specific components, such as the 'STAC_CORS_ORIGINS' variable for STAC. Refer to its documentation for details.
+#export BIRDHOUSE_PROXY_CORS_ALLOW_ORIGIN="*"
+
+#############################################################
+# JupyterHub variables
+#############################################################
+
 # Jupyter single-user server images
 #export JUPYTERHUB_DOCKER_NOTEBOOK_IMAGES="pavics/workflow-tests:py311-250423-update250730 \
 #                                          pavics/crim-jupyter-eo:0.3.0 \
@@ -453,8 +470,10 @@ export GEOSERVER_ADMIN_PASSWORD="${__DEFAULT__GEOSERVER_ADMIN_PASSWORD}"
 # level = DEBUG
 # "
 
-# Thredds server customization
-#
+#############################################################
+# THREDDS variables
+#############################################################
+
 # Name of organization hosting the Thredds server
 #export THREDDS_ORGANIZATION="Birdhouse"
 
@@ -547,6 +566,10 @@ export THREDDS_ADDITIONAL_CATALOG=''
 #export THREDDS_MAGPIE_EXTRA_METADATA_PREFIXES='".+\\.txt", ".+\\.md", ".+\\.rst"'
 #export THREDDS_MAGPIE_EXTRA_DATA_PREFIXES=''
 
+#############################################################
+# Magpie variables (user/group/permission management)
+#############################################################
+
 # Allow using Github as external AuthN/AuthZ provider with Magpie
 #   To setup Github as login, goto <https://github.com/settings/developers> under section [OAuth Apps]
 #   and create a new Magpie application with configurations:
@@ -602,6 +625,10 @@ export THREDDS_ADDITIONAL_CATALOG=''
 #export JUPYTER_LOGIN_BANNER_TOP_SECTION=""
 #export JUPYTER_LOGIN_BANNER_BOTTOM_SECTION=""
 
+#############################################################
+# Processing/data services variables
+#############################################################
+
 # Raven to use the local Geoserver instead of the default production.
 # See raven/default.env for more info.
 #export RAVEN_GEO_URL="${BIRDHOUSE_PROXY_SCHEME}://${BIRDHOUSE_FQDN}/geoserver/"
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -69,9 +69,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '2.18.15'
+version = '2.18.16'
 # The full version, including alpha/beta/rc tags.
-release = '2.18.15'
+release = '2.18.16'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-2.18.15 2025-12-01T18:03:36Z`
	`1`	`+2.18.16 2025-12-05T19:37:01Z`
Original file line number	Diff line number	Diff line change
`@@ -34,5 +34,8 @@`
`34`	`34`	`return 302 ${BIRDHOUSE_DOC_URL};`
`35`	`35`	`}`
`36`	`36`
	`37`	`+ # server defaults if not overridden in specific location blocks`
	`38`	`+ include /etc/nginx/conf.d/defaults.include;`
	`39`	`+`
`37`	`40`	`# for other extra components to extend Nginx`
`38`	`41`	`include /etc/nginx/conf.extra-service.d//.conf;`