Nginx proxy_pass Access-Control-Allow-Origin not working and rewrite issue

Question

Having a bit of a tough time with nginx and Access-Control-Allow-Origin, no matter what i do the response is always

Failed to load resource: Origin https://example.com is not allowed by Access-Control-Allow-Origin

I'm using kubernetes with a proxy that sits outside of the cluster, it's just another nginx container which has the following config:

upstream api {
        least_conn;
        server 192.168.0.2:30002;
        server 192.168.0.3:30002;
    }

server {
        listen 443 ssl;
        ssl_certificate /usr/local/etc/ssl/certs/live/example.com/cert.pem;
        ssl_certificate_key /usr/local/etc/ssl/certs/live/example.com/privkey.pem;
        ssl_session_timeout 10m;
        ssl_verify_client off;
        server_name api.example.com;
        error_log /usr/share/nginx/logs/error-api.log;
        access_log /usr/share/nginx/logs/access-api.log;

        location / {
            proxy_next_upstream error timeout http_502;
            proxy_next_upstream_tries 10;
            proxy_pass https://api;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_ssl_session_reuse on;

        }
    }

The requests get forwarded to port 30002 of the cluster which has a service listening on port 443 and forwards that request to the api container which holds a symfony app. The symfony app is also running on nginx:

server {
        listen 443;
        root /usr/share/nginx/html/public;
        server_name api.example.com;

        location / {
            try_files $uri /index.php$is_args$args;

            #try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
            fastcgi_next_upstream_timeout 10s;
            fastcgi_next_upstream_tries 2;
            fastcgi_pass php:9000;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            internal;
            fastcgi_buffers 8 16k;
            fastcgi_buffer_size 32k;
        }

        # deny access to apache .htaccess
         location ~ /\.ht {
             deny all;
         }

         error_log /usr/share/nginx/logs/error.log;
         access_log /usr/share/nginx/logs/access.log;
    }

In symfony i am using a library called nelmio_cors which sets the following:

nelmio_cors:
    defaults:
        origin_regex: true
        allow_origin: ['*']
        allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
        allow_headers: ['Content-Type', 'Authorization','x-auth-token','x-jwt']
        expose_headers: ['Link']
        max_age: 3600
    paths:
        '^/':
            allow_origin: ['*']
            allow_headers: ['Content-Type', 'Authorization','x-auth-token','x-jwt']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE','OPTIONS']
            max_age: 3600

This is allowing all origins at the moment yet i still get the access control not being allowed.

I have tried to add the header in nginx but then i get the error saying that i have duplicate origins set, but then i remove it and it complains that the origin isn't allowed again.

Here are the headers from the browser:

Summary
URL: https://api.example.com/user/profile/loadData
Status: —
Source: —
Initiator: 
polyfills-es2015.fef4887586779dfc9d53.js:2:35526


Request
Authorization: Basic
Accept: application/json
Content-Type: application/json
Origin: https://example.com
Referer: https://example.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15
X-AUTH-TOKEN: HIDDEN TOKEN
X-JWT: HIDDEN TOKEN

Response
No response headers

Request Data
MIME Type: application/json
Request Data: 

When i use apache the cors library in symfony does the job but this doesn't seem to work right with nginx, i'm not sure what is going on.

While i'm here i may as well ask another question with a problem i'm having with nginx as well. In my config above i have PHP using fastcgi, it all works, the url rewrites for symfony are working, but i can't access a regular php file inside the public folder.

So as an example, i may have a route in symfony: https://api.example.com/my/url which is served via the index.php in the public folder and using rewrite rules. Now i also have a basic php file in the public folder that does some work outside of symfony for resizing images on the fly https://api.example.com/example.php

When i try to access https://api.example.com/example.php it gives me a 404, i can only assume this is something to do with my rewrite rules, but not sure given i'm using to using .htaccess with apache and don't usually have this issue