Allow both HTTP and HTTPS and multi domain in CORS header on nginx

Wanted to allow both HTTP and HTTPS to POST to the API of an old solution I’ve been maintaining lately. But the Access-Control-Allow-Origin only allows a single domain with strict scheme. This made me look around in the nginx docs again.

Since my site is also answering on multiple domains, this is pretty neat:

location /api/ {
    add_header Access-Control-Allow-Origin "${scheme}://${server_name}";
    proxy_pass http://localhost:4242/;


If you have any comments or feedback, please send me an e-mail. (stig at stigok dotcom)