# lighttpd, allow “Access-Control-Allow-Origin:*” headers on the server status page

Maybe there’s someone out there who needs to read the output of lighttpd’s status for monitoring purpose like me tonight, and also, like me, you want to do this using JavaScript, but your browser gives you this nasty error:

XMLHttpRequest cannot load http://otherSubdomain.server.com/lighttpd-status-url-you-have-configured. Origin http://requestingSubdomain.server.com is not allowed by Access-Control-Allow-Origin.

lighttpd allows you to add a custom header for all requests by adding this in a given context:

[perl]setenv.add-response-header = ( "Access-Control-Allow-Origin" => "*" )[/perl]

For this to work, you must enable the mod_setenv.

But if you don’t enable this module, before you enable your mod_status module, you will never see the custom headers come out of your lighttpd HTTP response header output.

So make sure you enable mod_setenv like this:

[perl]
server.modules = (
"mod_fastcgi",
"mod_auth",
"mod_access",
"mod_alias",
"mod_accesslog",
# "mod_simple_vhost",
"mod_rewrite",
"mod_redirect",
"mod_setenv", #before mod_status, very important!
"mod_status",
# "mod_evhost",
"mod_compress",

[/perl]

The header output of your lighttpd status page should look like this now:

[bash]
Access-Control-Allow-Origin:*
Content-Length:5952
Content-Type:text/html
Date:Wed, 30 Nov 2011 01:27:04 GMT
Server:lighttpd/1.4.28
[/bash]

Hope this helps you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1. Chris Ghormley

…and if you’re using authentication to see the status you’ll want to move mod_setenv above mod_auth as well. Unfortunately it does require a bit more work than that to defeat the same origin policy with authentication. You can’t use a wildcard in the Access-Control-Allow-Origin header. Here are some more guidelines:

https://developer.mozilla.org/En/HTTP_access_control

2. the mod_setenv are u talking about lighty 1.5 or 1.4? i cannot see that module in my lasted lighty!

3. i found it! internal module

4. For some reason it did not work for me correctly.

I tried setenv.add-response-header = ( “Access-Control-Allow-Origin” => “*” )

since Chrome was not able to load MathJax fonts. Only some files were stamped within their header. I do not understand well the reasoning but it started to work when I moved the above line into the current host section:

$HTTP[“host”] =~ “mathjax” { setenv.add-response-header = ( “Access-Control-Allow-Origin” => “*” ) } 5. Dave I have trouble mixing this with other headers. eg:$HTTP[“scheme”] == “https” {
setenv.add-response-header = (“Strict-Transport-Security” => “max-age=31536000; includeSubDomains”)
}

\$HTTP[“url”] =~ “/fonts/” {
setenv.add-response-header = ( “Access-Control-Allow-Origin” => “*” )
}

If I go to anything on https I get STS, _unless_ it’s got fonts in the URL, then I get the access control header, however I lose the STS.

how can one truly “add” to the response header rather than replacing it? I have tried googling for mixing match conditions for setenv, however nothing I can find!