如何在站点 B 上使用 nginx proxy_pass 来提供内容时覆盖站点 A 的 Content-Security-Policy?
How to Override Content-Security-Policy of Site A while using nginx proxy_pass on Site B for serving content?
当我在站点 B 上使用 nginx proxy_pass 时,有没有办法覆盖 domain/site A 设置的 Content-Security-Policy。
Site A defined Content-Security-Policy on their domain.
Site B acts as a reverse proxy for site A.
如何在从站点 B 提供内容时覆盖 Content-Security-Policy?
如何在 nginx 代理传递中实现此目的?
我当前的 nginx 服务器块看起来像这样
server {
server_name proxy-domain.com.;
location / {
proxy_pass http://www.target-site.com/;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
我试过添加
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
例如
server {
server_name proxy-domain.com.;
location / {
proxy_pass http://www.target-site.com/;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
}
但是如果我检查站点 B 的 headers,那么它会显示站点 B 的已修改 Content-Security-Policy,但不会加载来自其他来源的内容。只设置了 headers .
这是为什么?
更新:
当我检查 headers 时,我得到 2 Content-Security-Policy headers ,首先由站点 A 设置,然后 Content-Security-Policy headers 设置为我的站点 B.
例如
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;
这个问题似乎与 Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header
By default, nginx does not pass the header fields “Date”, “Server”,
“X-Pad”, and “X-Accel-...” from the response of a proxied server to a
client. The proxy_hide_header directive sets additional fields that
will not be passed. If, on the contrary, the passing of fields needs
to be permitted, the proxy_pass_header directive can be used.
当我在站点 B 上使用 nginx proxy_pass 时,有没有办法覆盖 domain/site A 设置的 Content-Security-Policy。
Site A defined Content-Security-Policy on their domain.
Site B acts as a reverse proxy for site A.
如何在从站点 B 提供内容时覆盖 Content-Security-Policy?
如何在 nginx 代理传递中实现此目的?
我当前的 nginx 服务器块看起来像这样
server {
server_name proxy-domain.com.;
location / {
proxy_pass http://www.target-site.com/;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
我试过添加
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
例如
server {
server_name proxy-domain.com.;
location / {
proxy_pass http://www.target-site.com/;
proxy_set_header Accept-Encoding "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
}
但是如果我检查站点 B 的 headers,那么它会显示站点 B 的已修改 Content-Security-Policy,但不会加载来自其他来源的内容。只设置了 headers .
这是为什么?
更新: 当我检查 headers 时,我得到 2 Content-Security-Policy headers ,首先由站点 A 设置,然后 Content-Security-Policy headers 设置为我的站点 B.
例如
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;
这个问题似乎与 Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header
By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.