使用 CORS 和 http/2 修复 nginx 中的标头

使用 CORS 和 http/2 修复 nginx 中的标头

我已经研究我的 nginx 配置一段时间了,但不知何故,我的标头似乎出现了混淆。我在 ubuntu 14.04 上使用 nginx 1.9.12 运行 http/2,结果出现了稳固的 A 级评价。然而,尽管我得到了大部分的标题修改,但我得到了标头安全性为 F

我认为这可能与CORS 配置我复制粘贴了.但我就是不知道该怎么做。

请参阅下面的我的配置文件,其中有一些缩回的路径和一些已删除的错误页面指令,以使其更简单。

任何帮助都将受到赞赏。

# settings
#
server_tokens  off;


# http to https redirect
#
server {
    listen       80;
    server_name  gel.westpacgroup.com.au;
    return 301   https://$host$request_uri;
}


# ssl and http2 config
#
server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  gel.westpacgroup.com.au;

    ssl on;
    ssl_certificate      /path/to/fullchain.pem;
    ssl_certificate_key  /path/to/privkey.pem;

    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:50m;
    ssl_session_tickets  off;

    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    ssl_dhparam                /path/to/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling         on;
    ssl_stapling_verify  on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header  Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always;

    # prevent clickjacking attacks
    add_header  X-Frame-Options 'SAMEORIGIN';

    # disallow circumventing declared MIME types
    add_header X-Content-Type-Options nosniff;

    # X-XSS-Protection
    add_header X-XSS-Protection '1; mode=block';

    # root server
    #
    location / {
        root   /path/to/;
        index  index.html index.htm;

        # Wide-open CORS config for nginx
        #
        if ($request_method = 'OPTIONS') {
            add_header  'Access-Control-Allow-Origin' '*';

            # Om nom nom cookies
            add_header  'Access-Control-Allow-Credentials' 'true';
            add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

            # Custom headers and headers various browsers *should* be OK with but aren't
            add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

            # Tell client that this pre-flight info is valid for 20 days
            add_header  'Access-Control-Max-Age' 1728000;
            add_header  'Content-Type' 'text/plain charset=UTF-8';
            add_header  'Content-Length' 0;
            return      204;
        }

        if ($request_method = 'POST') {
            add_header  'Access-Control-Allow-Origin' '*';
            add_header  'Access-Control-Allow-Credentials' 'true';
            add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }
        if ($request_method = 'GET') {
            add_header  'Access-Control-Allow-Origin' '*';
            add_header  'Access-Control-Allow-Credentials' 'true';
            add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }
        if ($request_method = 'GET') {
            add_header  'Access-Control-Allow-Origin' '*';
            add_header  'Access-Control-Allow-Credentials' 'true';
            add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        }
    }

    # redirect server error pages to the static error pages
    #

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }
}

答案1

在我看来,这些标头尚未添加 - strict-transport-security 等。要使用 add_header,您需要从源代码构建 nginx,其中包含 headers_more 模块。你这样做了吗?如果没有,有一个教程在这里

(更新 - 这是必需的,但不确定为什么)您可能想尝试将 add_headers 移动到位置块内,看看是否效果更好。

做一个简单的测试 - 在您的主要位置添加一个简单的、无条件的标头,然后使用 curl 或 Firefox 和“Live HTTP Headers”扩展查看它。

add_header Z_TESTHEADER "value"

相关内容