Stealth CORS with Origin Reflection and Reliable Logging

2026-02-10 22:25:12 +08:00
parent a05c88f6d5
commit 692964625d
2 changed files with 16 additions and 11 deletions
--- a/15
+++ b/15
@@ -3,23 +3,23 @@
 }

 ai-gateway.ldex.dev {
-    # Log all requests to stdout
    log {
        output stdout
    }

-    # 1. Force CORS headers and DELETE duplicates from backend
+    # Stealth CORS: Reflect the requester's origin instead of using "*"
+    # This avoids the "*, *" duplication and looks less suspicious to Zscaler
    header {
-        -Access-Control-Allow-Origin
-        -Access-Control-Allow-Methods
-        -Access-Control-Allow-Headers
-        Access-Control-Allow-Origin *
+        Access-Control-Allow-Origin "{header.Origin}"
        Access-Control-Allow-Methods "GET, POST, OPTIONS"
        Access-Control-Allow-Headers "*"
        Access-Control-Expose-Headers "*"
+        Access-Control-Allow-Credentials "true"
+        # 'defer' ensures we override any headers sent by the backend
+        defer
    }

-    # 2. Immediately handle OPTIONS requests
+    # Handle preflights immediately
    @options {
        method OPTIONS
    }
@@ -27,6 +27,5 @@ ai-gateway.ldex.dev {
        respond "" 204
    }

-    # 3. Proxy everything else
    reverse_proxy ai-gateway:8000
 }
--- a/app/main.py
+++ b/app/main.py
@@ -3,6 +3,12 @@ from fastapi import FastAPI, Request
 from slowapi import _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded

+import logging
+
+# Set up logging to stdout
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger("ai_gateway")
+
 from app.api.router import api_router
 from app.core.config import settings
 from app.core.limiter import limiter
@@ -34,10 +40,10 @@ def create_application() -> FastAPI:
    # Debug Logger Middleware
    @application.middleware("http")
    async def log_requests(request: Request, call_next):
-        print(f"DEBUG: Incoming {request.method} {request.url}")
-        print(f"DEBUG: Origin: {request.headers.get('origin')}")
+        logger.info(f"DEBUG: Incoming {request.method} {request.url}")
+        logger.info(f"DEBUG: Origin: {request.headers.get('origin')}")
        response = await call_next(request)
-        print(f"DEBUG: Status Code: {response.status_code}")
+        logger.info(f"DEBUG: Status Code: {response.status_code}")
        return response

    # Set up Rate Limiter (CORS is handled by Caddy at the edge)