Custom Query (2297 matches)
Results (73 - 75 of 2297)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#2302 | invalid | Adding `proxy_hide_header` to `location` context completely deactivates `proxy_hide_header` directives in `server` context | ||
Description |
This behavior was discovered first on 1.18.0 (Ubuntu 20.04) but can be reproduced with the latest docker container. events { worker_connections 1024; } http { server { listen 80; proxy_http_version 1.1; proxy_ssl_server_name on; #doesn't work unless `proxy_hide_header` in location / is removed proxy_hide_header Link; location / { proxy_pass https://www.nginx.com; #works, but `proxy_hide_header` in `server` context stops working proxy_hide_header X-Pingback; } } } sudo docker run -p 3000:80 -it -v /home/dmitry/nginx.conf:/etc/nginx/nginx.conf:ro nginx curl localhost:3000/ -I
You'll see that Link header is passed to curl (even though |
|||
#854 | wontfix | Add inherited keyword for altering directive inheritance | ||
Description |
I wanted to set a few basic headers for all of my HTTP responses in nginx, however the current behaviour of
I'd like to propose the addition of an
However, it is likely that this override may be useful for other directives that aren't inherited by default as well. The only one that springs to mind is
In my particular use case I was hoping to add the It's fairly trivial in this case I admit, but I think that allowing users to override inheritence behaviour when they know they want to is useful. |
|||
#2025 | invalid | additional headers not sent when directory index is forbidden | ||
Description |
running nginx in docker (nginx:mainline, currently 1.19.0) to serve static files, I have added the usual set of headers via add_headers like this: server { listen *:80 default_server; server_name _; server_tokens off; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-hashes' 'unsafe-inline';"; add_header Referrer-Policy strict-origin; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection 1; location / { root /usr/share/nginx/html; index index.html index.htm; } } When a request is made to a path without index file, directory listing is denied (rightfully so) and a 403 status is returned. When this happens, none of the extra headers are returned. These additional headers should always be returned, it makes us fail security certifications because automated scanners find pages without the proper headers set. While I don't have an example at hand, I could imagine that there is a scenario where being able to circumvent additional headers during a request in this way might enable or at least aid some kind of malicious action. |