在 Nginx 中,为什么 405 错误页面可以在主服务器块中正确显示,但在重定向到主块的服务器块中却无法正确显示?

在 Nginx 中,为什么 405 错误页面可以在主服务器块中正确显示,但在重定向到主块的服务器块中却无法正确显示?

我使用两个服务器块将所有请求转发到主块,该主块为所有带有前缀的请求提供服务。当我在请求中https://www抛出 405 错误时,相应的错误页面会按预期显示。https://www

但是,当我使用httphttps仅使用前缀并使用 Postman 发送 DELETE 或 PATCH 请求时,请求会通过前 2 个服务器块之一,并且不会返回任何错误。页面正常显示,就像发出了 GET 请求一样。

我如何改变我的配置以便无论请求的前缀是什么都能显示错误?

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    # access_log  /var/log/nginx/access.log  main;
    access_log off;

    limit_req_zone $binary_remote_addr zone=mylimit:1m rate=50r/s;
    limit_req zone=mylimit burst=20 nodelay;

    sendfile      on;
    tcp_nopush    on;
    sendfile_max_chunk 1m;

    gzip on;
    gzip_comp_level 3;
    gzip_types text/css application/javascript application/x-javascript text/javascript;
    gzip_vary on;

    server_tokens off;
    resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844];

    error_page 400 /html/400.html;
    error_page 403 /html/403.html;
    error_page 404 /html/404.html;
    error_page 405 /html/405.html;
    error_page 500 502 503 504 /html/50x.html;

    server {

        listen 80;
        listen [::]:80;

        server_name example.com www.example.com;

        if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 405;
        }

        return 301 https://www.example.com$request_uri;

    }

    server {

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 405;
        }

        return 301 https://www.example.com$request_uri;

    }


    server {

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name www.example.com;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 405;
        }

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

        root /srv/example/views/public;

        location ~* \.(jpg|png|svg|webp|ico)$ {
            valid_referers none blocked server_names ~\.bing\. ~\.duckduckgo\. ~\.facebook\. ~\.google\. ~\.instagram\. ~\.twitter\. ~\.yahoo\.;
            if ($invalid_referer) {
                return 403;
            }
            add_header content-security-policy "default-src 'self';";
            add_header cache-control "public, max-age=31536000";
            add_header x-content-type-options nosniff;
        }

        location ~* \.(css)$ {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header x-content-type-options nosniff;
        }

        location ~* \.(htm|html)$ {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; img-src 'self' https://www.youtube.com; media-src 'self' https://www.youtube.com; object-src 'none'; script-src 'self' https://www.google-analytics.com https://apis.google.com https://js.stripe.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header feature-policy "autoplay 'none'; legacy-image-formats 'none'; oversized-images 'none'; unsized-media 'none';";
            add_header permissions-policy "autoplay=(); legacy-image-formats=(); oversized-images=(); unsized-media=();";
            add_header referrer-policy strict-origin;
            add_header strict-transport-security "max-age=31557600; includesubdomains";
            add_header x-content-type-options nosniff;
            add_header x-frame-options sameorigin;
        }

        location ~* \.(js)$ {
            add_header content-security-policy "default-src 'self';";
            add_header cache-control "public, max-age=2629746";
            add_header x-content-type-options nosniff;
        }

        location / {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; img-src 'self' https://www.youtube.com; media-src 'self' https://www.youtube.com; object-src 'none'; script-src 'self' https://www.google-analytics.com https://apis.google.com https://js.stripe.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header feature-policy "autoplay 'none'; legacy-image-formats 'none'; oversized-images 'none'; unsized-media 'none';";
            add_header permissions-policy "autoplay=(); legacy-image-formats=(); oversized-images=(); unsized-media=();";
            add_header referrer-policy strict-origin;
            add_header strict-transport-security "max-age=31557600; includesubdomains";
            add_header x-content-type-options nosniff;
            add_header x-frame-options sameorigin;
            proxy_hide_header x-powered-by;
            proxy_pass http://127.0.0.1:8080;
        }

    }

    server {

        listen 80;
        listen [::]:80;

        server_name testbed.example.com;

        if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 405;
        }

        return 301 https://testbed.example.com$request_uri;

    }

    server {

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name testbed.example.com;

        ssl_certificate /etc/letsencrypt/live/testbed.example.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/testbed.example.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        if ($request_method !~ ^(GET|HEAD|POST)$) {
            return 405;
        }

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/letsencrypt/live/testbed.example.com/chain.pem;

        root /srv/testbed/views/public;

        location ~* \.(jpg|png|svg|webp|ico)$ {
            valid_referers none blocked server_names ~\.bing\. ~\.duckduckgo\. ~\.facebook\. ~\.google\. ~\.instagram\. ~\.twitter\. ~\.yahoo\.;
            if ($invalid_referer) {
                return 403;
            }
            add_header content-security-policy "default-src 'self';";
            add_header cache-control "public, max-age=31536000";
            add_header x-content-type-options nosniff;
        }

        location ~* \.(css)$ {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header x-content-type-options nosniff;
        }

        location ~* \.(htm|html)$ {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; img-src 'self' https://www.youtube.com; media-src 'self' https://www.youtube.com; object-src 'none'; script-src 'self' https://www.google-analytics.com https://apis.google.com https://js.stripe.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header feature-policy "autoplay 'none'; legacy-image-formats 'none'; oversized-images 'none'; unsized-media 'none';";
            add_header permissions-policy "autoplay=(); legacy-image-formats=(); oversized-images=(); unsized-media=();";
            add_header referrer-policy strict-origin;
            add_header strict-transport-security "max-age=31557600; includesubdomains";
            add_header x-content-type-options nosniff;
            add_header x-frame-options sameorigin;
        }

        location ~* \.(js)$ {
            add_header content-security-policy "default-src 'self';";
            add_header cache-control "public, max-age=2629746";
            add_header x-content-type-options nosniff;
        }

        location / {
            add_header content-security-policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com fonts.googleapis.com; img-src 'self' https://www.youtube.com; media-src 'self' https://www.youtube.com; object-src 'none'; script-src 'self' https://www.google-analytics.com https://apis.google.com https://js.stripe.com; style-src 'self' fonts.googleapis.com;";
            add_header cache-control "public, max-age=2629746";
            add_header feature-policy "autoplay 'none'; legacy-image-formats 'none'; oversized-images 'none'; unsized-media 'none';";
            add_header permissions-policy "autoplay=(); legacy-image-formats=(); oversized-images=(); unsized-media=();";
            add_header referrer-policy strict-origin;
            add_header strict-transport-security "max-age=31557600; includesubdomains";
            add_header x-content-type-options nosniff;
            add_header x-frame-options sameorigin;
            proxy_hide_header x-powered-by;
            proxy_pass http://127.0.0.1:10001;
        }

    }

}

答案1

nginx文档讲述了以下内容:

评估指定的条件。如果为真,则执行括号内指定的模块指令,并将 if 指令内的配置分配给请求。if 指令内的配置继承自上一个配置级别。

在您的示例配置中,这意味着return 301配置是从父配置级别继承的。文档没有说明当上一个配置级别和当前级别都包含return指令时会发生什么。但从您的结果来看,继承的指令似乎被保留了下来。

已经有人建议将重定向包含在位置内。我在这里编写了一个精确的配置,以突出显示配置块应如何显示:

server {
    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    if ($request_method !~ ^(GET|HEAD|POST)$) {
        return 405;
    }

    location / {
        return 301 https://www.example.com$request_uri;
    }
}

另一种可能性是使用limit_except。这是一个未经测试的版本:

server {
    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    location /
        error_page 403 =405 /html/405.html;
        limit_except GET POST {
            deny all;
        }

        return 301 https://www.example.com$request_uri;
    }
}

limit_except允许 GET 和 POST 方法,其他所有方法均被拒绝。通过允许 GET,HEAD 被隐式允许。

error_page指令用于将403错误代码转换为deny all返回405代码并显示错误页面。

相关内容