Nginx和rails标头不起作用

时间:2018-03-13 12:39:27

标签: ruby-on-rails nginx

我试图向nginx配置添加一些标头,但现在只有一个标头正在工作(Strict-Transport-Security)。

upstream puma_muninn {
  server app:3000;
}

server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen  443 default ssl;
  server_name production.test.com;
  root /var/www/muninn/public;

  ssl on;

  ssl_certificate /var/www/muninn/test.crt;
  ssl_certificate_key /var/www/muninn/test.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers   on;

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  try_files $uri/index.html $uri @puma_muninn;

  location @puma_muninn {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'self';";
    add_header 'Referrer-Policy' 'origin';


    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    access_log /var/www/muninn/log/nginx.access.log;
    error_log /var/www/muninn/log/nginx.error.log;
  }

enter image description here

如果我在rails侧添加一些标题:

config.action_dispatch.default_headers = {
  'X-Frame-Options' => 'SAMEORIGIN'
}

它会关闭来自nginx的任何标题。

想法?

1 个答案:

答案 0 :(得分:0)

为了确保应用程序具有的所有流量在安全性方面得到同等对待,请将add_header声明移到location块之外,并避免在应用程序中设置在NGINX上设置的标头。您的文件应如下所示:

upstream puma_muninn {
  server app:3000;
}

server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen  443 default ssl;
  server_name production.test.com;
  root /var/www/muninn/public;

  ssl on;

  ssl_certificate /var/www/muninn/test.crt;
  ssl_certificate_key /var/www/muninn/test.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers   on;

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  try_files $uri/index.html $uri @puma_muninn;
  # Equal security to all requests
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Content-Security-Policy "default-src 'self';";
  add_header 'Referrer-Policy' 'origin';

  location @puma_muninn {
    # No need to especify security headers here, since global config will take care of the rest.
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    access_log /var/www/muninn/log/nginx.access.log;
    error_log /var/www/muninn/log/nginx.error.log;
  }

如果要在NGINX中强制执行所有SSL / TSL,Cookie和HSTS安全性,则应从Rails应用程序as you may have followed similar steps as this answer中删除安全标头。重复的标题可能会在这些自动网站分析工具中触发误报甚至是真正的标题。

相关问题
最新问题