nginx error_page 404 HSTS header 缺失
nginx error_page 404 HSTS header missing
我有一个 Laravel 站点 运行 nginx 1.15.0。站点配置在 server 级别指定 HSTS(HTTP 严格传输安全)headers。这适用于所有有效的 URL。
但是,当请求导致 404 的资源时,HSTS header 不会随响应一起返回。 server 块中由 add_header 设置的其他 header 也是如此。
我想做的是让 HSTS header 包含在所有响应中,即使是错误。老实说,这只是为了满足安全扫描器将其标记为 medium-level 漏洞的要求。这可能是安全战区,但我仍然想了解这里发生了什么。
除了 .json URL 的一个 explicitly-defined 例外,没有其他 add_header 指令会干扰服务器级别的指令。
下面是我对本站的nginx配置内容。包含 before/* 和 after/* 似乎没有发出任何 add_header 指令,所以我不会在这里扩展它们。
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .example.com;
root /home/forge/example.com/current/public;
client_max_body_size 100M;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/example.com/302491/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/302491/server.key;
ssl_protocols TLSv1.2;
# Updated cipher suite per Mozilla recommendation for Modern compatibility
# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff";
add_header Vary "Origin";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Public-Key-Pins 'pin-sha256="hpkppinhash="; pin-sha256="anotherpinhash="; pin-sha256="yetanotherpinhash="; pin-sha256="anotherpinhash="; pin-sha256="lastpinhash="; max-age=86400';
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
location ~* \.json {
add_header Cache-Control "no-store,no-cache";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin";
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/after/*;
您需要添加always参数as stated in the documentation:
Adds the specified field to a response header provided that the response code equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or 308 (1.13.0). The value can contain variables.
...
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.
因此将您的配置更改为:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
我有一个 Laravel 站点 运行 nginx 1.15.0。站点配置在 server 级别指定 HSTS(HTTP 严格传输安全)headers。这适用于所有有效的 URL。
但是,当请求导致 404 的资源时,HSTS header 不会随响应一起返回。 server 块中由 add_header 设置的其他 header 也是如此。
我想做的是让 HSTS header 包含在所有响应中,即使是错误。老实说,这只是为了满足安全扫描器将其标记为 medium-level 漏洞的要求。这可能是安全战区,但我仍然想了解这里发生了什么。
除了 .json URL 的一个 explicitly-defined 例外,没有其他 add_header 指令会干扰服务器级别的指令。
下面是我对本站的nginx配置内容。包含 before/* 和 after/* 似乎没有发出任何 add_header 指令,所以我不会在这里扩展它们。
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/before/*;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name .example.com;
root /home/forge/example.com/current/public;
client_max_body_size 100M;
# FORGE SSL (DO NOT REMOVE!)
ssl_certificate /etc/nginx/ssl/example.com/302491/server.crt;
ssl_certificate_key /etc/nginx/ssl/example.com/302491/server.key;
ssl_protocols TLSv1.2;
# Updated cipher suite per Mozilla recommendation for Modern compatibility
# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff";
add_header Vary "Origin";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Public-Key-Pins 'pin-sha256="hpkppinhash="; pin-sha256="anotherpinhash="; pin-sha256="yetanotherpinhash="; pin-sha256="anotherpinhash="; pin-sha256="lastpinhash="; max-age=86400';
index index.html index.htm index.php;
charset utf-8;
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/server/*;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
location ~* \.json {
add_header Cache-Control "no-store,no-cache";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Referrer-Policy "strict-origin-when-cross-origin";
}
}
# FORGE CONFIG (DOT NOT REMOVE!)
include forge-conf/example.com/after/*;
您需要添加always参数as stated in the documentation:
Adds the specified field to a response header provided that the response code equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or 308 (1.13.0). The value can contain variables.
...
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.
因此将您的配置更改为:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;