CORS getting magically striped

I really hope that somebody has an idea on what might be going on here. I’m using Cloudflare to deliver static files like picture and especially streaming resources like m4s segments using HLS and MPEG DASH. To aggregate more bandwidth, I use the Cloudflare Load balancer implementation against 10 origin servers and I really have to say that it’s always blazing fast, really fast!

While downloading static assets like pictures and other files, I’m experiencing no issues at all! But as soon as it comes down to streaming, using VideoJS v.7.20.2 here, Cloudflare magically stripes CORS headers, which again leads to the problem that the player is not able to properly pull segments.

To give you and Idea on what I’m talking about, this is how streaming look like if I directly pull the stuff from my server without using Cloudflare at all:

As you can see, without Cloudflare I have an access-control-allow-origin header and with Cloudflare it magically disappears.

The even more funny part is that I had it working for almost 3 weeks under the use of Cloudflare and without changing anything on my servers it also magically stopped working again. It’s really a funny Proxy Cloudflare runs here.

At my Webserver (NGINX) I have the following two location blocks setup, one for HLS the other for MPD streaming:

        location /mpd {
           alias /srv/;
           auth_jwt_enabled on;
           add_header cache-control no-cache always;
           add_header access-control-allow-credentials true;
           add_header access-control-allow-origin $allow_origin;
           add_header access-control-expose-headers "content-encoding,content-length,content-range,date";
           add_header access-control-allow-headers "access-control-expose-headers,access-control-allow-credentials,access-control-allow-origin,authorization,accept,accept-encoding,accept-language,access-control-request-headers,access-control-request-method,cache-control,connection,dnt,host,pragma,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,sec-gpc,te,user-agent";
           # Trick preflight option requests of media players like VideoJS
           if ($request_method = OPTIONS) {
               add_header accept-ranges Bytes always;
               add_header access-control-allow-credentials true;
               add_header access-control-allow-headers "access-control-allow-headers,access-control-expose-headers,access-control-allow-credentials,access-control-allow-origin,authorization,accept,accept-encoding,accept-language,access-control-request-headers,access-control-request-method,cache-control,connection,dnt,host,pragma,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,sec-gpc,te,user-agent" always;
               add_header access-control-allow-methods "GET, HEAD, OPTIONS";
               add_header access-control-allow-origin $allow_origin;
               add_header content-type "text/plain charset=UTF-8";
               add_header content-length 0;
               return 204;
               }

           types {
              application/dash+xml mpd;
              video/iso.segment m4s;
              text/html html;
           }

           if ($invalid_referer){
              return 403;
           }

           if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ){
              return 405;
           }
        }

        location /hls {
           alias /srv/;
           auth_jwt_enabled on;add_header cache-control no-cache always;
           add_header access-control-allow-credentials true;
           add_header access-control-allow-origin $allow_origin;
           add_header access-control-expose-headers "content-encoding,content-length,content-range,date";
           add_header access-control-allow-headers "access-control-expose-headers,access-control-allow-credentials,access-control-allow-origin,authorization,accept,accept-encoding,accept-language,access-control-request-headers,access-control-request-method,cache-control,connection,dnt,host,pragma,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,sec-gpc,te,user-agent";
           # Trick preflight option requests of media players like VideoJS
           if ($request_method = OPTIONS) {
               add_header accept-ranges Bytes always;
               add_header access-control-allow-credentials true;
               add_header access-control-allow-headers "access-control-allow-headers,access-control-expose-headers,access-control-allow-credentials,access-control-allow-origin,authorization,accept,accept-encoding,accept-language,access-control-request-headers,access-control-request-method,cache-control,connection,dnt,host,pragma,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,sec-gpc,te,user-agent" always;
               add_header access-control-allow-methods "GET, HEAD, OPTIONS";
               add_header access-control-allow-origin $allow_origin;
               add_header content-type "text/plain charset=UTF-8";
               add_header content-length 0;
               return 204;
               }

           types {
              application/vnd.apple.mpegurl m3u8;
              video/iso.segment m4s;
              text/html html;
           }

           if ($invalid_referer){
              return 403;
           }

           if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ){
              return 405;
           }
        }

Does maybe somebody ran into a similar problem and knows a solution?

And this is the same under the use of Cloudflare:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.