diff --git a/deploy.md b/deploy.md index e5c2b15..65da7c0 100644 --- a/deploy.md +++ b/deploy.md @@ -20,4 +20,201 @@ There are many options for setting up Strapi, here is an easy workflow that we r - Step 2: Copy `/api` from [this repository](https://github.com/poloclub/argo-graph-share) as a reference of the `snapshot` content type that we have set up. - Step 3: Follow the [Deployment guide of Strapi](https://strapi.io/documentation/v3.x/getting-started/deployment.html). Among the list of supported hosting providers, Heroku is an easy start (and they have a free tier). -You can use the [Roles and Permissions](https://strapi.io/documentation/v3.x/plugins/users-permissions.html) feature (available in the admin dashboard by default) to set up your own access control. This allows you to set up access control without writing any code. \ No newline at end of file +You can use the [Roles and Permissions](https://strapi.io/documentation/v3.x/plugins/users-permissions.html) feature (available in the admin dashboard by default) to set up your own access control. This allows you to set up access control without writing any code. + + +## CORS Anywhere + +Argo is using a modified clone of CORS Anywhere to serve as a CORS reverse-proxy. To learn more about the newest version of CORS Anywhere, please read below. + +[![Build Status](https://travis-ci.com/Rob--W/cors-anywhere.svg?branch=master)](https://travis-ci.com/Rob--W/cors-anywhere) +[![Coverage Status](https://coveralls.io/repos/github/Rob--W/cors-anywhere/badge.svg?branch=master)](https://coveralls.io/github/Rob--W/cors-anywhere?branch=master) + +**CORS Anywhere** is a NodeJS proxy which adds CORS headers to the proxied request. + +The url to proxy is literally taken from the path, validated and proxied. The protocol +part of the proxied URI is optional, and defaults to "http". If port 443 is specified, +the protocol defaults to "https". + +This package does not put any restrictions on the http methods or headers, except for +cookies. Requesting [user credentials](http://www.w3.org/TR/cors/#user-credentials) is disallowed. +The app can be configured to require a header for proxying a request, for example to avoid +a direct visit from the browser. + +### Example + +```javascript +// Listen on a specific host via the HOST environment variable +var host = process.env.HOST || '0.0.0.0'; +// Listen on a specific port via the PORT environment variable +var port = process.env.PORT || 8080; + +var cors_proxy = require('cors-anywhere'); +cors_proxy.createServer({ + originWhitelist: [], // Allow all origins + requireHeader: ['origin', 'x-requested-with'], + removeHeaders: ['cookie', 'cookie2'] +}).listen(port, host, function() { + console.log('Running CORS Anywhere on ' + host + ':' + port); +}); + +``` +Request examples: + +* `http://localhost:8080/http://google.com/` - Google.com with CORS headers +* `http://localhost:8080/google.com` - Same as previous. +* `http://localhost:8080/google.com:443` - Proxies `https://google.com/` +* `http://localhost:8080/` - Shows usage text, as defined in `lib/help.txt` +* `http://localhost:8080/favicon.ico` - Replies 404 Not found + +Live examples: + +* https://cors-anywhere.herokuapp.com/ +* https://robwu.nl/cors-anywhere.html - This demo shows how to use the API. + +### Documentation + +#### Client + +To use the API, just prefix the URL with the API URL. Take a look at [demo.html](demo.html) for an example. +A concise summary of the documentation is provided at [lib/help.txt](lib/help.txt). + +**Note: as of February 2021, access to the demo server requires an opt-in**, +see: https://github.com/Rob--W/cors-anywhere/issues/301 + +If you want to automatically enable cross-domain requests when needed, use the following snippet: + +```javascript +(function() { + var cors_api_host = 'cors-anywhere.herokuapp.com'; + var cors_api_url = 'https://' + cors_api_host + '/'; + var slice = [].slice; + var origin = window.location.protocol + '//' + window.location.host; + var open = XMLHttpRequest.prototype.open; + XMLHttpRequest.prototype.open = function() { + var args = slice.call(arguments); + var targetOrigin = /^https?:\/\/([^\/]+)/i.exec(args[1]); + if (targetOrigin && targetOrigin[0].toLowerCase() !== origin && + targetOrigin[1] !== cors_api_host) { + args[1] = cors_api_url + args[1]; + } + return open.apply(this, args); + }; +})(); +``` + +If you're using jQuery, you can also use the following code **instead of** the previous one: + +```javascript +jQuery.ajaxPrefilter(function(options) { + if (options.crossDomain && jQuery.support.cors) { + options.url = 'https://cors-anywhere.herokuapp.com/' + options.url; + } +}); +``` + +#### Server + +The module exports `createServer(options)`, which creates a server that handles +proxy requests. The following options are supported: + +* function `getProxyForUrl` - If set, specifies which intermediate proxy to use for a given URL. + If the return value is void, a direct request is sent. The default implementation is + [`proxy-from-env`](https://github.com/Rob--W/proxy-from-env), which respects the standard proxy + environment variables (e.g. `https_proxy`, `no_proxy`, etc.). +* array of strings `originBlacklist` - If set, requests whose origin is listed are blocked. + Example: `['https://bad.example.com', 'http://bad.example.com']` +* array of strings `originWhitelist` - If set, requests whose origin is not listed are blocked. + If this list is empty, all origins are allowed. + Example: `['https://good.example.com', 'http://good.example.com']` +* function `handleInitialRequest` - If set, it is called with the request, response and a parsed + URL of the requested destination (null if unavailable). If the function returns true, the request + will not be handled further. Then the function is responsible for handling the request. + This feature can be used to passively monitor requests, for example for logging (return false). +* function `checkRateLimit` - If set, it is called with the origin (string) of the request. If this + function returns a non-empty string, the request is rejected and the string is send to the client. +* boolean `redirectSameOrigin` - If true, requests to URLs from the same origin will not be proxied but redirected. + The primary purpose for this option is to save server resources by delegating the request to the client + (since same-origin requests should always succeed, even without proxying). +* array of strings `requireHeader` - If set, the request must include this header or the API will refuse to proxy. + Recommended if you want to prevent users from using the proxy for normal browsing. + Example: `['Origin', 'X-Requested-With']`. +* array of lowercase strings `removeHeaders` - Exclude certain headers from being included in the request. + Example: `["cookie"]` +* dictionary of lowercase strings `setHeaders` - Set headers for the request (overwrites existing ones). + Example: `{"x-powered-by": "CORS Anywhere"}` +* number `corsMaxAge` - If set, an Access-Control-Max-Age request header with this value (in seconds) will be added. + Example: `600` - Allow CORS preflight request to be cached by the browser for 10 minutes. +* string `helpFile` - Set the help file (shown at the homepage). + Example: `"myCustomHelpText.txt"` + +For advanced users, the following options are also provided. + +* `httpProxyOptions` - Under the hood, [http-proxy](https://github.com/nodejitsu/node-http-proxy) + is used to proxy requests. Use this option if you really need to pass options + to http-proxy. The documentation for these options can be found [here](https://github.com/nodejitsu/node-http-proxy#options). +* `httpsOptions` - If set, a `https.Server` will be created. The given options are passed to the + [`https.createServer`](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener) method. + +For even more advanced usage (building upon CORS Anywhere), +see the sample code in [test/test-examples.js](test/test-examples.js). + +#### Demo server + +A public demo of CORS Anywhere is available at https://cors-anywhere.herokuapp.com. This server is +only provided so that you can easily and quickly try out CORS Anywhere. To ensure that the service +stays available to everyone, the number of requests per period is limited, except for requests from +some explicitly whitelisted origins. + +**Note: as of February 2021, access to the demo server requires an opt-in**, +see: https://github.com/Rob--W/cors-anywhere/issues/301 + +If you expect lots of traffic, please host your own instance of CORS Anywhere, and make sure that +the CORS Anywhere server only whitelists your site to prevent others from using your instance of +CORS Anywhere as an open proxy. + +For instance, to run a CORS Anywhere server that accepts any request from some example.com sites on +port 8080, use: +``` +export PORT=8080 +export CORSANYWHERE_WHITELIST=https://example.com,http://example.com,http://example.com:8080 +node server.js +``` + +This application can immediately be run on Heroku, see https://devcenter.heroku.com/articles/nodejs +for instructions. Note that their [Acceptable Use Policy](https://www.heroku.com/policy/aup) forbids +the use of Heroku for operating an open proxy, so make sure that you either enforce a whitelist as +shown above, or severly rate-limit the number of requests. + +For example, to blacklist abuse.example.com and rate-limit everything to 50 requests per 3 minutes, +except for my.example.com and my2.example.com (which may be unlimited), use: + +``` +export PORT=8080 +export CORSANYWHERE_BLACKLIST=https://abuse.example.com,http://abuse.example.com +export CORSANYWHERE_RATELIMIT='50 3 my.example.com my2.example.com' +node server.js +``` + + +### License + +Copyright (C) 2013 - 2021 Rob Wu + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE.