Forum OpenACS Development: HTML 405 OPTIONS Method Prefligthed Request

Debugging a request created in React (JS client), I noticed that NaviServer is unable to receive that request. It returns HTML 405.
https://www.w3schools.com/tags/ref_httpmessages.asp

HTML 405 means that the method is not allowed. NGINX logs the following 405, while Naviserver has no logs of that request except for a few Warnings.

Thus I'm unable to capture client's request. The method is OPTIONS and it's a preflighted request, and I believe whether NGINX, NS or both have no support to OPTIONS, and even other preflighted methods.

Is Naviserver able to handle preflighted requests?

When the content-type is changed to x-www-formurlencoded, REACT client's request works just fine.

p.s. The same request works fine when it's executed in Postman client.

NS logs
[30/Jan/2020:23:47:28][9138.7f97d1768700][-conn:tangotech:12:12142-] Notice: checking entry 172.31.40.33 from host_node_map -
[30/Jan/2020:23:47:28][9138.7f97d1768700][-conn:tangotech:12:12142-] Warning: ignore untrusted host header field: '172.31.40.33'
[30/Jan/2020:23:47:28][9138.7f97d1768700][-conn:tangotech:12:12142-] Notice: ignore non-existing or untrusted host header, fall back to backend.tangotechapp.com
[30/Jan/2020:23:47:37][9138.7f97d1768700][-conn:tangotech:12:12143-] Notice: checking entry 172.31.40.33from host_node_map -
[30/Jan/2020:23:47:37][9138.7f97d1768700][-conn:tangotech:12:12143-] Warning: ignore untrusted host header field: '172.31.40.33'
[30/Jan/2020:23:47:37][9138.7f97d1768700][-conn:tangotech:12:12143-] Notice: ignore non-existing or untrusted host header, fall back to backend.tangotechapp.com
[30/Jan/2020:23:47:37][9138.7f97a7fff700][-conn:tangotech:11:12144-] Notice: checking entry 172.31.40.33 from host_node_map -
[30

NGINX logs
172.31.46.143 - - [31/Jan/2020:00:32:58 -0200] "OPTIONS /REST/test-header HTTP/1.1" 405 534 "http://localhost:3000/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
172.31.46.143 - - [31/Jan/2020:00:32:59 -0200] "OPTIONS /REST/test-header HTTP/1.1" 405 534 "http://localhost:3000/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
172.31.46.143 - - [31/Jan/2020:00:32:59 -0200] "OPTIONS /REST/test-header HTTP/1.1" 405 534 "http://localhost:3000/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865

Collapse
Posted by Gustaf Neumann on

Iuri,

as often, you are quite fast in saying that some server is unable to something, etc. It usually helps to describe what you are trying to do, what your setup is, etc.

Concerning the OPTIONS preflight request: When you communicate via NGINX to the NaviServer, and NGINX does not forward the request to the backend, the backend has no chance to react. Talk directly to NaviServer to reduce complexity.

Concerning the log files: you compare the NGINX access.log with the NaviServer system log (error.log). When NaviServer receives the OPTIONS request, you will see an entry in the NaviServer access.log as well.

Concerning OPTIONS: Some OpenACS package register a OPTIONS handler, some do not. In case, the packages you have installed register no such handler, add to some of your packages to the tcl directory of your packages a *-init.tcl like the following:

optionshandler-init.tcl

ns_register_proc OPTIONS /REST/* ::my_options_handler

proc ::my_options_handler args {
    ns_log notice "==== my_options_handler is called ==== "
    ns_set put [ns_conn outputheaders] Allow "OPTIONS GET POST"
    ns_return 200 text/plain {}
}

and test it e.g. with curl

$ curl -i -X OPTIONS http://localhost:8100//REST/test-header 
HTTP/1.1 200 OK
Server: NaviServer/4.99.19
Date: Fri, 31 Jan 2020 08:42:26 GMT
Allow: OPTIONS GET POST
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive

The response header field "Allow" was added by the handler. You will have to extend it if other HTTP methods should be allowed. My suspicion is that your react client does some CORS preflight requests. See e.g. [1] how to handle/avoid it.

-g

[1] https://stackoverflow.com/questions/29954037/why-is-an-options-request-sent-and-can-i-disable-it