push_stream_allowed_origins
The `push_stream_allowed_origins` directive specifies which domains are permitted to access the push stream functionality.
Description
The push_stream_allowed_origins directive is a security feature of the NGINX Push Stream Module, used to control cross-origin resource sharing (CORS) for your streaming setup. By defining this directive, you can explicitly specify which origins (domains) are allowed to receive push notifications via the streaming channels. This is particularly important in scenarios where the streaming service is accessed from web applications hosted on different domains, helping to mitigate potential security risks associated with cross-origin requests.
The directive accepts one argument, which can be a comma-separated list of allowed origins. If a request comes from an origin that is not listed in the push_stream_allowed_origins directive, NGINX will reject the request, thus preventing unauthorized cross-origin access to your push streams. This behavior aids compliance with the same-origin policy, a critical concept in web security that restricts web pages from making requests to domains different from the one that loaded the web page.
This directive can be placed in the http, server, or location contexts within your NGINX configuration, allowing you flexibility in applying it more broadly or narrowly based on your server architecture and security requirements.
Config Example
server {
location /push {
push_stream_allowed_origins http://example.com;
}
}Make sure to include the protocol (http or https) in the allowed origins.
If you use multiple origins, separate them with commas without spaces.
Testing from different domains requires the appropriate CORS setup on the client side as well.