Aqui está a solução que eu criei. Ele insere a duplicação de todas as diretivas add_header do CORS.
location /api/ {
proxy_pass http://127.0.0.1:14000;
proxy_set_header Host $host;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Allow-Credentials true;
if ($request_method = OPTIONS) {
add_header Content-Length 0;
add_header Content-Type text/plain;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Origin $http_origin;
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Allow-Credentials true;
return 200;
}
auth_basic "Restricted Area";
auth_basic_user_file /var/www/admin.htpasswd;
}