Opened 7 years ago

Closed 7 years ago

#1186 closed defect (invalid)

multiple add_header in multiple server blocks

Reported by: Miroslav Shubernetskiy Owned by:
Priority: minor Milestone:
Component: other Version: 1.11.x
Keywords: Cc:
uname -a: Linux c2ed8c0b8be3 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC 2017 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.11.8
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed'



It seems that when nginx configuration has multiple server blocks, not all add_header directives are honored within different server blocks.

In my case I use nginx as a reverse proxy server for multiple domains with different upstream servers. For each domain I have 2 server blocks. First is http block which simply redirects to https. Second is with TLS/SSL termination configured which then sends all requests to upstream server. Since I use HSTS in each server block where TLS is configured I add HSTS header (note that HSTS header is not expected to be returned in non-TLS connections so that header is only added in TLS server blocks):

add_header Strict-Transport-Security "max-age=31536000";

Note that I dont use add_header directive in any other blocks within the same server block. For example I dont have any additional add_header directives within any location blocks. Reason I mention that is because as per docs add_header uses inheritance which means that if add_header would be present in any location block, the add_header from the server block definition would be ignored ( and confirm that).

So as per documentation I would expect that all the domains should return the expected HSTS header but only a single domain returns it. All server blocks are on the same level within the nginx config so it should not trigger directive inheritance causing only the last directive to be honored.

Any ideas why this is happening? Is this a bug or something expected? If expected how would I go about solving my needs?

Some other info in case its useful to diagnosing the issue. I am using Docker with official nginx images on top of Ubuntu 16.04. Currently using 1.11.8 nginx which you can see from the nginx -V output attached in the ticket.


Change History (3)

comment:1 by Maxim Dounin, 7 years ago

Please provide full configuration which demonstrates the problem.

comment:2 by Miroslav Shubernetskiy, 7 years ago

When trying to reproduce an issue with a simpler config was not able to. Then read the docs again. And haha. Saw my stupidity. add_header does not add a value for >=400 status codes unless always parameter is given. One of the domains I was testing is actually returning 404 for home page hence HSTS header was not being added. Added always parameter and it works as expected.

Dont see a way for me to close the ticket so please feel free to do so.


comment:3 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Ok, closing this.

Note: See TracTickets for help on using tickets.