为什么以下代理不会绕过X-Frame-Options标头?

时间:2017-09-20 06:31:07

标签: apache iframe reverse-proxy x-frame-options

我需要在iframe中显示一些网站,我不能直接这样做,因为其中一些网站的标题X-Frame-Options设置为'SAMEORIGIN'。作为绕过这种方式的一种方法,我尝试在apache中使用反向代理。下面是我的apache配置

<VirtualHost *:80>
ServerName google.local
ProxyRequests Off

DocumentRoot /var/www/html/iframe-test

ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html

ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined

<Location *>
    AllowOverride All
    Order allow,deny
    Allow from all
    # Header always append X-Frame-Options "ALLOW-FROM all"
    Header add test-header 'test'
</Location>

但我仍然无法在iframe中加载该网站,而是收到错误Load denied by X-Frame-Options: https://www.oracle.com/index.html does not permit cross-origin framing.

1 个答案:

答案 0 :(得分:0)

上述配置的问题是代理仅适用于http协议。但是,如控制台错误消息中所示,外部站点实际上会自动将http重定向到https 因此,为了处理https请求,需要在apache中启用ssl并启用SSLProxyEngine。为此,

  1. 在终端上运行sudo a2enmod ssl

  2. 添加&#39; SSLProxyEngine On&#39;到上面的配置

    <VirtualHost *:80>
    ServerName google.local

    ProxyRequests On
    ProxyPreserveHost Off
    SSLProxyEngine On

    DocumentRoot /var/www/html/iframe-test

    ProxyPass /test http://www.oracle.com/index.html
    ProxyPassReverse /test http://www.oracle.com/index.html

    ErrorLog /var/log/apache2/google.local-error.log
    CustomLog /var/log/apache2/google.local-access.log combined

    <Location *>
        AllowOverride All
        Order allow,deny
        Allow from all
        # Header always append X-Frame-Options "ALLOW-FROM all"
        Header add test-header 'test'
    </Location>
</VirtualHost>
相关问题
最新问题