Nginx – Overwrite HTTP headers comming back from a web application server proxied in nginx

http-headersnginxreverse-proxy

I have a web application server reverse-proxied behind nginx 1.15 like so:

location / {
   proxy_pass https://some.awesome.IP:8080;
   proxy_set_header Host            $host;
   proxy_set_header X-Forwarded-For $remote_addr;
}
add_header Content-Security-Policy "default-src 'self'; frame-ancestor https://subdomain.domain.org 'self'";

Now this web application server thinks it would be a good idea to set the Content-Security-Policyheader to frame-ancestors 'self' – which destroys my front-end since I need to wrap that page in an iframe being hosted at https://subdomain.domain.org.

So, how can I in nginx change/overwrite/delete headers coming back from web application server before passing the response to the client? add_header is obviously ignored here.

Best Answer

It seems that adding proxy_hide_header Content-Security-Policy; did the trick.

Related Solutions

Nginx proxy pass works for https but not http

I believe you need a separate server block for HTTP. For example:

server {
listen 80;

location / {
        proxy_redirect off;
        proxy_cache off;
        proxy_pass         http://127.0.0.1:5000;
        proxy_set_header   Host             $http_host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
}
}

You would then remove listen 80; from the existing server block.

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

Nginx proxy pass works for https but not http

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic