Shulou(Shulou.com)06/02 Report--

Preface

As you all know, the nginx configuration file sets the response header by using the add_header directive.

Yesterday, I used curl to check the information of a site and found that the returned header was different from what I had imagined:

HTTP/2 200date: Thu, 07 Feb 2019 04:26:38 GMTcontent-type: text/html; charset=UTF-8vary: Accept-Encoding, Cookiecache-control: max-age=3, must-revalidatelast-modified: Thu, 07 Feb 2019 03:54:54 GMTX-Cache: Missserver: cloudflare...

The main site is configured with header such as HSTS in nginx.conf:

Add_header Strict-Transport-Security "max-age=63072000; preload"; add_header X-Frame-Options SAMEORIGIN;add_header X-Content-Type-Options nosniff;add_header X-XSS-Protection "1; mode=block"

But the response header does not have these header. In addition to the regular header, there is only one header X-Cache configured in location.

The first impression is that CDN filtered out these header? So I looked for the documents of Cloudflare, and I didn't find that they would be processed. On second thought, why does CDN filter all this? Have you had enough to eat? They don't do the zheng trial!

The problem shifts to the configuration of Nginx. Open Google search for "nginx location add_header", and sure enough found a lot of slots. Click on the document on the official website add_header and have the following description (other information has been omitted):

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

Note that the focus is on "These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level." That is, the parent setting is inherited only if there is no add_header directive in the current level. So my question is clear: there is a configuration in add_header,nginx.conf in location that has been discarded.

This is a deliberate act of Nginx, not a bug or a trap. But if you take a closer look at this sentence, you will find something more interesting: only the add_header in the most recent place works. Add_header can be configured in http, server, and location, but the closest configuration works, and the upper configuration will fail.

But the problem doesn't stop there. If there is a rewrite to another location in the location, only the second header appears in the end result. For example:

Location / foo1 {add_header foo1 1; rewrite / / foo2;} location / foo2 {add_header foo2 1; return 200 "OK";}

Regardless of the request / foo1 or / foo2, the final header is only foo2:

Although it makes sense that this is normal behavior, it always feels a little reluctant and uncomfortable: server loses http configuration, location loses server configuration, but the two location are at the same level!

You cannot inherit the parent configuration and do not want to repeat instructions in the current block. The solution is to use the include instruction.

Referenc

Nginx Module ngx_http_headers_moduleNginx add_header configuration pitfallBe very careful with your add_header in Nginx! Pit of add_header with You might make your site insecureadd_header directives in location overwriting add_header directives in servernginx configuration

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.