Opened 9 months ago

Closed 9 months ago

#2302 closed defect (invalid)

Adding `proxy_hide_header` to `location` context completely deactivates `proxy_hide_header` directives in `server` context

Reported by: usenkovdmitry@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: proxy_hide_header proxy_pass Cc: usenkovdmitry@…
uname -a: Linux ef0f6e0ed935 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.4
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.21.4/debian/debuild-base/nginx-1.21.4=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

This behavior was discovered first on 1.18.0 (Ubuntu 20.04) but can be reproduced with the latest docker container.

events {
    worker_connections  1024;
}
http {
    server {
        listen 80;
        proxy_http_version 1.1;
        proxy_ssl_server_name on;

        #doesn't work unless `proxy_hide_header` in location / is removed
        proxy_hide_header Link;

        location / {
            proxy_pass https://www.nginx.com;

            #works, but `proxy_hide_header` in `server` context stops working
            proxy_hide_header X-Pingback;
        }
    }
}
sudo docker run -p 3000:80 -it -v /home/dmitry/nginx.conf:/etc/nginx/nginx.conf:ro nginx
curl localhost:3000/ -I

You'll see that Link header is passed to curl (even though proxy_hide_header Link; is there). Try to remove proxy_hide_header X-Pingback; from location, restart nginx and curl again. Link header will be hidden as it should.

Change History (1)

comment:1 by Maxim Dounin, 9 months ago

Resolution: invalid
Status: newclosed

Much like any directives in nginx configuration, proxy_hide_header directives are inherited from the previous configuration level only if there are no proxy_hide_header directives defined on the current level. That is, the behaviour you observe is exactly as it should be: when you redefine headers to hide at the location level, the list of headers to hide is redefined, not extended.

Note: See TracTickets for help on using tickets.