Nginx – Whitelisting request/response headers with nginx proxy_pass

nginx

I am configuring a reverse proxy in nginx using proxy_pass. I am then using proxy_set_header to override certain request headers and proxy_hide_header to remove certain response headers.

This effectively creates a blacklist of headers that I do not want to pass through my proxy.

Ideally, though, I would want to define a whitelist of headers that are allowed to pass through. For example, I might want to hide all headers except Content-Type and Content-Length (and a few others, probably).

Is there any mechanism in nginx to implement this sort of header whitelist while proxying? I can't seem to find this in this nginx documentation or through Google searches.

Thanks!

Best Answer

There is openresty/headers-more-nginx-module on github. Seems to fit your needs quite well.

Related Solutions

Nginx : backend https, proxy_pass shows ip

proxy_redirect off should do the trick. I think you should also change your proxy_pass to use SSL if you want to use SSL for your backend. Although a Unix socket would be much better to tighten security and still keep a fast connection.

My recommended nginx.conf:

# /etc/nginx/nginx.conf

user www-data;
worker_processes 2; # Do you really have two CPU cores?
events {
  multi_accept        on;
  worker_connections  768;
  use                 epoll;
}
http {
  charset                         utf-8;
  client_body_timeout             65;
  client_header_timeout           65;
  client_max_body_size            10m;
  default_type                    application/octet-stream;
  index                           index.html index.php /index.php;
  keepalive_timeout               20;
  reset_timedout_connection       on;
  send_timeout                    65;
  sendfile                        on;
  server_names_hash_bucket_size   64;
  tcp_nodelay                     off;
  tcp_nopush                      on;
  gzip              on;
  gzip_buffers      32 4k;
  gzip_comp_level   2;
  gzip_disable      "msie6";
  gzip_http_version 1.1;
  gzip_min_length   1100;
  gzip_proxied      any;
  gzip_static       on;
  gzip_types
    #text/html is always compressed by HttpGzipModule
    text/css
    text/plain
    application/javascript
    application/x-javascript
    application/json
    application/x-json
    application/rss+xml
    application/xml
    application/vnd.ms-fontobject
    font/truetype
    font/opentype
    image/x-icon
    image/svg+xml;
  gzip_vary         on;
  include                        mime.types;
  include                        conf.d/*.conf;
  include                        sites-enabled/*;
}

My recommended virtual host configuration:

# /etc/nginx/sites-available/default.conf

proxy_cache_key "$scheme://$host$request_uri";
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m inactive=7d max_size=700m;

server {
  listen 80;
  server_name example.com;
  access_log off;
  root /var/www;

  # Consider using a map for this! If is bad!
  if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
  }

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for;
    proxy_intercept_errors on;
    proxy_buffering on;
    proxy_pass http://127.0.0.1:port$request_uri;
  }
}

Have a look at my nginx configuration at GitHub for more advanced stuff (not finished yet, have to write more comments first): https://github.com/Fleshgrinder/nginx

Nginx proxy_pass receive content/status headers when http 4xx

Check your entire nginx configuration and make sure you didn't set proxy_intercept_errors on; somewhere. This setting should be off in your scenario.

Best Answer

Related Solutions

Nginx : backend https, proxy_pass shows ip

Nginx proxy_pass receive content/status headers when http 4xx

Related Topic