为什么以下代理不会绕过X-Frame-Options标头?

时间:2017-09-20 06:31:07

标签: apache iframe reverse-proxy x-frame-options

我需要在iframe中显示一些网站,我不能直接这样做,因为其中一些网站的标题X-Frame-Options设置为'SAMEORIGIN'。作为绕过这种方式的一种方法,我尝试在apache中使用反向代理。下面是我的apache配置

<VirtualHost *:80>
ServerName google.local
ProxyRequests Off

DocumentRoot /var/www/html/iframe-test

ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html

ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined

<Location *>
    AllowOverride All
    Order allow,deny
    Allow from all
    # Header always append X-Frame-Options "ALLOW-FROM all"
    Header add test-header 'test'
</Location>

但我仍然无法在iframe中加载该网站,而是收到错误Load denied by X-Frame-Options: https://www.oracle.com/index.html does not permit cross-origin framing.

1 个答案:

答案 0 :(得分:0)

上述配置的问题是代理仅适用于http协议。但是,如控制台错误消息中所示,外部站点实际上会自动将http重定向到https 因此,为了处理https请求,需要在apache中启用ssl并启用SSLProxyEngine。为此,

  1. 在终端上运行sudo a2enmod ssl
  2. 添加&#39; SSLProxyEngine On&#39;到上面的配置

    <VirtualHost *:80>
        ServerName google.local
    
        ProxyRequests On
        ProxyPreserveHost Off
        SSLProxyEngine On
    
        DocumentRoot /var/www/html/iframe-test
    
        ProxyPass /test http://www.oracle.com/index.html
        ProxyPassReverse /test http://www.oracle.com/index.html
    
        ErrorLog /var/log/apache2/google.local-error.log
        CustomLog /var/log/apache2/google.local-access.log combined
    
        <Location *>
            AllowOverride All
            Order allow,deny
            Allow from all
            # Header always append X-Frame-Options "ALLOW-FROM all"
            Header add test-header 'test'
        </Location>
    </VirtualHost>