子域的内容安全策略 (csp) 问题,nginx 作为反向代理,节点表示为 backand
content security policy (csp) issue for subdomain with nginx as reverse proxy and node express as backand
我对内容安全策略有疑问 headers。脚本和样式被阻止。
nginx 似乎使我的 express 超载了 headers。
我尝试了很多,最后的状态是这样。
nginx 服务器块
...
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
....
快速设置(域名改为example.com)
const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
lusca.csp({
policy: {
"default-src": "'self' *.example.com",
"img-src": "*"
}
})
);
...
在浏览器控制台中我得到这个:
content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")
在浏览器的答案字段中(csp 是两倍!):
content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';
有谁知道为什么这个配置不起作用?或者如何告诉 nginx 使用 express 的 headers 并按住自己的?
我通过将 proxy_pass_header 添加到 nginx 服务器块来解决它:
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
// THIS DIRECTIVE SOLVED IT
proxy_pass_header content-security-policy;
}
我对内容安全策略有疑问 headers。脚本和样式被阻止。
nginx 似乎使我的 express 超载了 headers。
我尝试了很多,最后的状态是这样。
nginx 服务器块
...
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
....
快速设置(域名改为example.com)
const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
lusca.csp({
policy: {
"default-src": "'self' *.example.com",
"img-src": "*"
}
})
);
...
在浏览器控制台中我得到这个:
content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")
在浏览器的答案字段中(csp 是两倍!):
content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';
有谁知道为什么这个配置不起作用?或者如何告诉 nginx 使用 express 的 headers 并按住自己的?
我通过将 proxy_pass_header 添加到 nginx 服务器块来解决它:
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
// THIS DIRECTIVE SOLVED IT
proxy_pass_header content-security-policy;
}