#Option 1 允许所有域名跨域

最简单直接的方法

Access-Control-Allow-Origin: *

#Option2 只允许域名及子域名

server {
    listen 80 default_server;
    server_name _;
    location / {
        #
        # NOTE: CORS standards allow a specific protocol/host combination,
        # 'null', or '*' only. So, wildcard subdomains won't work.
        #
        # Have a look here:
        #     http://enable-cors.org/server_nginx.html
        #
        if ($http_origin ~* (https?://[^/]*\.your-domain.com(:[0-9]+)?)$) {
                add_header 'Access-Control-Allow-Origin' "${http_origin}";
        }
    }
}

map $http_origin $allow_origin {
    ~^https?://(.*\.)?your-domain.com(:\d+)?$ $http_origin;
    ~^https?://(.*\.)?localhost(:\d+)?$ $http_origin;
    default "";
}

server {
    listen 80 default_server;
    server_name _;
    add_header 'Access-Control-Allow-Origin' $allow_origin;
    # ...
}

注意，除此以外还要注意服务端的应用的跨域设置，以NodeBB为例，在完成nginx以上的设置后还需要进入Settings -> Advanced

设置 Access-Control-Allow-Origin 跨域参数。