Opened 3 years ago

Closed 3 years ago

#1324 closed defect (invalid)

add_header always doesn't work when sending HTTP response 451

Reported by: dkg@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.10.x
Keywords: Cc:
uname -a: Linux che 4.9.0-3-amd64 #1 SMP Debian 4.9.25-1 (2017-05-02) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.3
built with OpenSSL 1.1.0d 26 Jan 2017 (running with OpenSSL 1.1.0f 25 May 2017)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-F3HeH5/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-F3HeH5/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-F3HeH5/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-F3HeH5/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-F3HeH5/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-F3HeH5/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

Description

I'm running nginx 1.10.3 on debian stable. I have the following config:

location /http451-example/dangerous.html {
         error_page 451 /http451-example/blocked-body.html;
         add_header Link "<https://spqr.example.org/legislatione>; rel=blocked-by" always;
         return 451;
}

however, the Link header doesn't appear in the HTTP response.

Additionally, i don't see any way to provide a description associated with the numeric response code. I would normally want to see something like HTTP/1.1 451 Unavailable for Legal Reasons.

This can be tested with:

0 dkg@alice:~$ wget -S -O/dev/null https://dkg.fifthhorseman.net/http451-example/dangerous.html
--2017-07-15 17:17:01--  https://dkg.fifthhorseman.net/http451-example/dangerous.html
Resolving dkg.fifthhorseman.net (dkg.fifthhorseman.net)... 162.247.75.118
Connecting to dkg.fifthhorseman.net (dkg.fifthhorseman.net)|162.247.75.118|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 451 
  Server: nginx/1.10.3
  Date: Sat, 15 Jul 2017 15:17:01 GMT
  Content-Type: text/html
  Content-Length: 190
  Connection: keep-alive
  ETag: "596a275f-be"
2017-07-15 17:17:02 ERROR 451: (no description).

8 dkg@alice:~$ 

https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header says:

Adds the specified field to a response header provided that the response code equals 200, 
201, 204, 206, 301, 302, 303, 304, 307, or 308. The value can contain variables.

There could be several add_header directives. These directives are inherited from the 
previous level if and only if there are no add_header directives defined on the current 
level.

If the always parameter is specified (1.7.5), the header field will be added regardless of 
the response code.

So i think the "always" should trigger header inclusion.

Change History (2)

comment:1 by Ilyas Bakirov, 3 years ago

451 http status (https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_request.h) and error page (https://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_special_response.c) must be introduced first in order to get default message for 451 status code page

comment:2 by Maxim Dounin, 3 years ago

Resolution: invalid
Status: newclosed

The add_header directive have to be used in the location where the response is actually returned. In the provided configuration snippet, however, it is used in the location /http451-example/dangerous.html where an error is generated using the return directive, and then the request is redirected to /http451-example/blocked-body.html using the error_page directive. As such, the add_header in the provided configuration will never work.

To make things work, the configuration have to be changed to use the add_header in the location where the request is redirected using error_page, for example:

location /http451-example/dangerous.html {
         error_page 451 /http451-example/blocked-body.html;
         return 451;
}

location /http451-example/blocked-body.html {
         add_header Link "..." always;
}
Note: See TracTickets for help on using tickets.