为什么Nginx sub_filter不能与proxy_pass一起使用?

时间:2020-06-25 03:13:07

标签: javascript nginx iframe

目标

我想通过反向代理绕过iframe上的同源政策,以便对iframe内的网站进行一些javascript控制。

问题1

iframe的

src设置为https://example1.com/iframe-app。但这仍然会引起浏览器中相同的源策略违反。因此,浏览器仍会在iframe中看到该页面,因为它不是起源于https://example1.com/,这似乎还可以,因为如果基础页面具有相同的起源,那么其ajax请求将无法正常工作。

问题2

因此,我尝试使用nginx sub_filter指令将我的JavaScript注入响应html。不过,什么都没有添加到响应中。也许是因为响应是根据https协议加密的?

问题

为什么sub_filter不起作用以及如何使其起作用?

nginx配置

server {
    
            root /var/www/example1.com/html;
            index index.html index.htm index.nginx-debian.html;
    
            server_name example1.com www.example1.com;
    
    
            location / {
                    proxy_pass http://localhost:4000;
            }
    
            location /iframe-app {
                    rewrite ^/iframe-app(.*) /$1 break;

                    proxy_pass http://example2.com;
                    
                    proxy_set_header Accept-Encoding "";
                    
                    proxy_redirect off;
                    
                    sub_filter '</head>' '<script>...code</script></head>';
                    sub_filter_once on;
                    sub_filter_types text/html;
    
            }
    
    
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/example1.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example1.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    
    server {
        if ($host = www.example1.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        if ($host = example1.com) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
            listen 80;
            listen [::]:80;
    
            server_name example1.com www.example1.com;
            return 404; # managed by Certbot
    }

0 个答案:

没有答案
相关问题
最新问题