Opened 4 years ago

Closed 4 years ago

#917 closed defect (invalid)

try_files ignores add_header at same level

Reported by: https://stackoverflow.com/users/573152/bernard-rosset Owned by:
Priority: minor Milestone: 1.9
Component: nginx-core Version: 1.8.x
Keywords: Cc:
uname -a: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.1
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1k 8 Jan 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Using the following configuration:

server {
    listen  443 ssl default_server;
    listen  [::]:443 ssl default_server;
    server_name example.org;

    ssl_certificate     cert.pem;
    ssl_certificate_key key.pem;

    add_header Strict-Transport-Security "max-age=15984000";

    root    /var/web/$host;
    index   index.html index.php;
    try_files   $uri    $uri/   =404;
}

Files that cannot be found are replied with a 404 page without the Strict-Transport-Security header.

Change History (1)

comment:1 by Valentin V. Bartenev, 4 years ago

Resolution: invalid
Status: newclosed

A quote from the add_header directive documentation:

Adds the specified field to a response header provided that the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.

You should use the always parameter if you want to add header for 404 responses.

Note: See TracTickets for help on using tickets.