Enable CORS with Caddy plugin

Started by gtmax500, March 04, 2025, 02:32:20 AM

Previous topic - Next topic
Hello All,

This might be more appropriate in the Caddy forums, but I figured I'd start here since it relates to using the OPNSense Caddy plugin GUI.

I was hoping for some help on enabling CORS in the Caddy plugin. I am currently reverse proxing my Immich Server with the Caddy plugin and it works as expected. I am trying to utilize an Immich album in a Home Assistant dashboard and the instructions say I need to enable CORS in the web server to allow access to the api from a different domain. It goes on to give instructions on setting that up in nginx and traefik but not Caddy.

I have found guides on modifying the caddyfile to enable CORS but I cant figure out how that translates to the OPNSense plugin GUI. Any help would be appreciated. Thank you!

Caddy passed all headers through 1:1 in reverse_proxy mode.

The immich example is to enable CORS for its /own/ webserver that serves immich.

This means just configure it in immich.

If you cannot do that for some reason, use the Caddy Headers menu. Read about what the header_up and header_down directives do, and then attach these headers to your handler in advanced mode.

Though manipulating the headers with the reverse proxy is worse than adding them on the webserver of the reverse proxied application.
Hardware:
DEC740

June 01, 2025, 03:21:23 PM #2 Last Edit: June 01, 2025, 05:51:55 PM by janstadt
@gtmax500 did you get this figured out? Im running into the exact same issue having moved from swag to caddy. I have following headers being added to the immich response:

access-control-allow-headers
'X-Api-Key, User-Agent, Content-Type' always
access-control-allow-methods
'GET, PUT, POST, DELETE, OPTIONS' always
access-control-allow-origin
*
access-control-max-age
1728000
content-length
121
content-type
text/plain; charset=utf-8

but still getting an error: has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. . Is there a way to respond with a 2xx response for the ORIGIN requests?

June 09, 2025, 04:16:54 PM #3 Last Edit: June 09, 2025, 04:39:08 PM by janstadt
I think i got this going after adding a custom config: https://docs.opnsense.org/manual/how-tos/caddy.html#custom-configuration-files

Gonna leave this here for others who might get stuck as well.

(cors) {
  @cors_preflight method OPTIONS
  @cors header Origin {args.0}

  handle @cors_preflight {
    header Access-Control-Allow-Origin "{args.0}"
    header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
    header Access-Control-Allow-Headers "Content-Type, x-api-key"
    header Access-Control-Max-Age "3600"
    respond "" 204
  }

  handle @cors {
    header Access-Control-Allow-Origin "{args.0}"
    header Access-Control-Expose-Headers "Link"
  }
}

[immich domain] {
  handle /api* {
    import cors [domain making the CORS call (homeassistant wallpanel)]
    reverse_proxy [ip:port of immich]
  }

  handle {

    reverse_proxy [ip:port of immich]
  }
}