Skip to content
Lua library for enabling CORS in HAProxy
Lua HTML JavaScript Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
example Initial commit Aug 26, 2019
LICENSE Initial commit Aug 26, 2019 Updated README to have generic path to lua file. Aug 26, 2019

HAProxy CORS Lua Library

Lua library for enabling CORS in HAProxy.


Cross-origin Request Sharing allows you to permit client-side code running within a different domain to call your services. This module extends HAProxy so that it can:

  • set an Access-Control-Allow-Methods header in response to CORS preflight requests.
  • set an Access-Control-Allow-Origin header to whitelist a domain. Note that this header should only ever return either a single domain or an asterisk (*). Otherwise, it would have been possible to hardcode all permitted domains without the need for Lua scripting.

This library checks the incoming Origin header, which contains the calling code's domain, and tries to match it with the list of permitted domains. If there is a match, that domain is sent back in the Access-Control-Allow-Origin header.


  • HAProxy must be compiled with Lua support.


Copy the cors.lua file to the server where you run HAProxy.


Load the cors.lua file via the lua-load directive in the global section of your HAProxy configuration:

    log stdout local0
    lua-load /path/to/cors.lua

In your frontend or listen section, capture the client's Origin request header by adding http-request lua.cors:

http-request lua.cors

Within the same section, invoke the http-response lua.cors action. The first parameter is a a comma-delimited list of HTTP methods that can be used. The second parameter is comma-delimited list of origins that are permitted to call your service.

http-response lua.cors "GET,PUT,POST" ",localhost,localhost:8080"

You can also whitelist all domains by setting the second parameter to an asterisk:

http-response lua.cors "GET,PUT,POST" "*"
You can’t perform that action at this time.