Nginx add_header instruction example analysis

Preface

As we all know, the nginx configuration file sets the response header by using the add_header directive.

Use curl to check the information of a site and find that the returned header is different from what was expected:

http/2 200
date: thu, 07 feb 2019 04:26:38 gmt
content-type: text/html; charset=utf-8
vary: accept-encoding, cookie
cache-control: max-age=3, must-revalidate
last-modified: thu, 07 feb 2019 03:54:54 gmt
x-cache: miss
server: cloudflare
...

The main site has configured hsts and other headers in nginx.conf:

add_header strict-transport-security "max-age=63072000; preload";
add_header x-frame-options sameorigin;
add_header x-content-type-options nosniff;
add_header x-xss-protection "1; mode=block";

But the response header does not have these headers. In addition to the regular headers, there is only one header x-cache configured in the location.

The first impression is that CDN filters these headers? So I looked for cloudflare's documentation, but I didn't find that it would handle these. Then I thought about it, what does CDN do to filter these? Are you full after eating? They don't do the censorship thing!

The problem shifts to the configuration of nginx. Open Google and search for "nginx location add_header", and you will find many flaws. Click on the add_header document on the official website and there is this description (other information has been omitted):

there could be several add_header directives. these directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

Attention is focused on "these directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.". That is: the parent settings will be inherited only if there is no add_header directive in the current level. So my question is clear: there is add_header in location, and the configuration in nginx.conf is discarded.

This is a deliberate behavior of nginx, and it cannot be said to be a bug or a pit. But if you understand this sentence deeply, you will find a more interesting phenomenon: only the latest add_header works. add_header can be configured in http, server and location, but the closest configuration will take effect, and all configurations above will be invalid.

But the problem doesn’t stop there. If the location is rewritten to another location, only the second header will appear in the final result. For example:

location /foo1 {
 add_header foo1 1;
 rewrite / /foo2;
}

location /foo2 {
 add_header foo2 1;
 return 200 "ok";
}

Regardless of requesting /foo1 or /foo2, the final header is only foo2:

Although it makes sense, this is normal behavior, but it always makes people It feels a bit forced and uncomfortable: the server loses the http configuration, and the location loses the server configuration, but the two locations are at the same level!

You cannot inherit the parent configuration, and you don’t want to repeat instructions in the current block. The solution can be to use the include instruction.

The above is the detailed content of Nginx add_header instruction example analysis. For more information, please follow other related articles on the PHP Chinese website!