我在Nginx.conf文件中为Rails(3.2)应用程序进行了以下配置。对于prod中的localhost:5478,页面的响应标头包含x-frame-options,而直接访问端口5479-82时缺少x-frame选项,这使它可以进行点击劫持。我尝试在位置使用proxy_set_header和add_header,但是没有用。有什么更好的方法来实现这一目标。
upstream rails {
ip_hash;
server 127.0.0.1:5479;
server 127.0.0.1:5480;
server 127.0.0.1:5481;
server 127.0.0.1:5482;
}
server {
listen 5478 default;
server_name _;
root "../d2/public";
add_header X-Frame-Options "SAMEORIGIN";
location ~ ^/assets/ {
root "../d2/public";
expires 1y;
add_header Cache-Control public;
add_header ETag "";
break;
}
location ~* / {
# Setup redirection headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Pass the request thru
proxy_pass http://rails;
}
}