Nginx Subdomains blocked by CORS policy


I have 3 sub-domains (sub1.domain.com, sub2.domain.com, sub3.domain.com).

sub1.domain.com calls sub2.domain.com for information and I keep getting the following: Access to XMLHttpRequest at ‘https://sub2.domain.com’ from origin ‘sub1.domain.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘https://sub1.domain.com, *’, but only one is allowed.

All 3 domains use similar nginx config per the example below.


    server {
    listen 443 ssl http2;
    listen (::):443 ssl http2;
    server_name sub1.domain.com;
    access_log /var/www/sub1.domain.com/logs/access.log;
    error_log /var/www/sub1.domain.com/logs/error.log notice;
    ssl_certificate /etc/letsencrypt/live/sub1.domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sub1.domain.com/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.3 TLSv1.2;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 1.1.1.1 1.0.0.1 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header 'Access-Control-Allow-Origin' '*';

  location / {
        proxy_pass http://127.0.0.1:80;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header SSL_OFFLOADED "1";
        proxy_set_header HTTPS "on";
        proxy_buffering off;
        port_in_redirect off;
        proxy_set_header      X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 128;
        proxy_set_header "Access-Control-Allow-Origin" "*";
        gzip on;
        gzip_proxied any;
        proxy_read_timeout 3600;
        client_max_body_size 128M;
        client_body_buffer_size 100M;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
  }

}

I added add_header ‘Access-Control-Allow-Origin’ ‘*’;
and this is still happening. How can I prevent this from happening?