CORS proxy operations

This page is the operational runbook for the CORS proxy published at proxy.coragem.app.

The service description and entry point live in CORS proxy.

A CORS proxy is high-risk by default

Treat changes as security-sensitive: avoid “open proxy” behavior, keep allowlists explicit, and add rate limiting when exposed publicly.

Preconditions

• You are on VPN/LAN (see VPN access (support)).
• You have SSH access to web.core.lef (NGINX) and (if needed) the backend host.
• You have an approved change request describing what is being allowed and why (see Access control policy).

Where it runs (current)

• Public hostname: proxy.coragem.app
• NGINX entrypoint: web.core.lef (vhost binds to the coragem.app VIP)
• Backend host: tools.core.lef
• Observed NGINX upstream: proxy_coragem_app → tools.core.lef:3005 (see the service page for details)

Common tasks

Update allowlists / behavior (backend)

If the proxy blocks a legitimate integration, first identify the missing allowed target/origin/method in the backend and update the allowlist. Avoid adding wildcards without an explicit risk review.

Update the NGINX vhost (frontend)

On web.core.lef, the vhost is enabled under /etc/nginx/sites-enabled/public/ and typically symlinks to /etc/nginx/sites-available/coragem.app/proxy.

When changing the vhost:

• keep strict listener binding (do not listen on 0.0.0.0)
• keep (or add) rate limits
• keep security headers
• avoid adding “proxy_pass $arg_url” patterns or other user-controlled upstream selection

Validate and reload:

sudo nginx -t
sudo systemctl reload nginx
sudo ss -lntp | grep nginx

Validate

From a machine that can reach the public VIP (or from VPN/LAN):

curl -I https://proxy.coragem.app/
curl -I http://192.168.20.113/ -H 'Host: proxy.coragem.app'

Then validate the specific integration path(s) and confirm the proxy still rejects disallowed targets.

Related

CORS proxy (service) NGINX vhost templates web.core.lef