在 nginx 验证字段之前重写客户端“Host”http 标头

在 nginx 验证字段之前重写客户端“Host”http 标头

我从设备收到以下请求,并应将其代理到 hd10.vtech.com:

   GET http://hd10.vtech.com/test/pp_firmware/HD10-CH010_SUOTA.bin HTTP/1.1
   Host: http://hd10.vtech.com/test/pp_firmware/HD10-CH010_SUOTA.bin
   Range: bytes=0-59

不幸的是,nginx 认为客户端主机标头字段无效并抛出 400 错误。有没有办法在 nginx/openresty 验证请求之前重写客户端主机标头?我尝试使用 more_set_input_headers 例程来修改标头,但这是在验证之后进行的……

nginx.conf(测试中):

user  nobody;
#number of cores:
#grep processor /proc/cpuinfo | wc -l
worker_processes  2;

#
pid        logs/nginx.pid;

#daemon off;
error_log /var/log/nginx.log info;

events {
#number of files that can be opened simultaniously by a process:
#ulimit -n
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    # note that the log_format directly below is a single line
    log_format main '[$time_local] remote_ip: $remote_addr realip: $realip_remote_addr remote_user: $remote_user  request: "$request" status: $status body_byte: $body_bytes_sent referer: "$http_referer" agent: "$http_user_agent" proxy: "$proxy_host" host: "$host"';

    access_log  /var/log/access.log  main;

    ignore_invalid_headers on;
    sendfile        on;
    #tcp_nopush     on;

    #context should be upstream - don't know if applied
    #keepalive_timeout  0;
    keepalive_timeout  15;

    #gzip  on;
    lua_package_path "/usr/local/openresty/lua-resty-http/lib/?.lua;/usr/local/openresty/src/?.lua;;";
    lua_package_cpath "/usr/local/openresty/lualib/?.so;;";
    #lua_code_cache off;
    lua_shared_dict whitelist 500k;
    lua_shared_dict useragent 100k;
    lua_shared_dict captive 100k;
    lua_shared_dict redirecttable 100k;
    lua_shared_dict clients 2m;

    init_by_lua_block {
        require("initialize").go()
        }

    server {
        lua_socket_connect_timeout 5m;
        proxy_connect_timeout   15;
        proxy_set_header HOST $host;
        proxy_buffering off;
        proxy_set_header Connection "";
        proxy_http_version 1.1;

        #proxy_ignore_client_abort on;
        listen 172.16.23.238:8080;
        ###security hardening
        #removes version of webserver in response headers
        server_tokens off;
        #overwrites Server headers
        more_set_headers 'Server: Webproxy';
        #prevents clickjacking - debatable if the proxy should enforce this
        add_header X-Frame-Options "SAMEORIGIN";
        #protects clients with Webkit browsers (IE8+) from XSS attacks
        add_header X-XSS-Protection "1; mode=block";
        #limits some types from turning into executable code (e.g style can only be text/css, if it's something else it is blocked)
        add_header X-Content-Type-Options nosniff;
        #proxy headers - passes useful info and original ip
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_bind 62.202.200.246;

        #delete if breaks stuff
        proxy_read_timeout 15;
        proxy_send_timeout 15;

        location / {

            resolver 1.1.1.1 10.212.10.10 ipv6=off;  #
            set $target '';

            access_by_lua_block {
            require("sharedmemory").go()
            require("useragent").go()
            }
            #pass remote Server in Header - currently overwritten by more_set_header
            proxy_pass_header Server;
            proxy_pass http://$target;
        }
  }

}

谢谢并问候 David

答案1

您的 Host 标头中有一个下划线。该指令的默认值为underscores_in_headersOff因此您可以尝试将其设置为On

相关内容