使用fastcgi缓存时在NGINX中添加安全标头 [英] add security headers in NGINX while using fastcgi caching

问题描述

我正在将Nginx与fastcgi缓存一起使用.我想在我的网站上使用安全标头.我已经在虚拟主机配置中添加了添加标头字段，但是除非我在fastcgi_main.conf文件中禁用add_header X-fastcgi cache $ upstream缓存状态，否则我将无法获得任何标头.virualhost文件:

I am using nginx with fastcgi cache. I want to use security headers on my site. I have already added add header field in my virtual host configurations but I can not get any headers unless I disable add_header X-fastcgi cache $upstream cache status in my fastcgi_main.conf file. virualhost file :

    }
   include /etc/nginx/bots.d/blockbots.conf;
   include /etc/nginx/bots.d/ddos.conf;
   include /etc/nginx/skip_cache.conf ;
   include /etc/nginx/purge_location.conf ;
   include /etc/nginx/gzip_location.conf ;
   include /etc/nginx/security_wp.conf;
        add_header Referrer-Policy 'origin';
        add_header "X-Frame-Options: sameorigin" always;
    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass  unix:/var/run/php/php7.3-fpm.sock;
    include "/etc/nginx/customfastcgi" ;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;
    proxy_read_timeout 300;
    send_timeout 300;
#    underscores_in_headers on;
client_max_body_size 256M;
    include /etc/nginx/fastcgi_main.conf ;
    }

}

FASTCGI_main.conf

FASTCGI_main.conf

        fastcgi_no_cache $skip_cache;
        fastcgi_cache phpcache;
        fastcgi_cache_valid 200 1m;
        fastcgi_cache_valid 301 1m;
        fastcgi_cache_valid 302 1m;
        fastcgi_cache_valid 307 1m;
        fastcgi_cache_valid 404 1m;
        fastcgi_cache_use_stale error timeout invalid_header http_500 http_503;
        fastcgi_cache_min_uses 1;
        fastcgi_cache_methods GET HEAD;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
       add_header X-FastCGI-Cache $upstream_cache_status;
    ```

RESULT:
curl -I https://dev-kuhicbury.$domain
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 09 Oct 2020 11:39:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
rel="https://api.w.org/"
X-FastCGI-Cache: HIT

推荐答案

您已经踏上 add_header 指令的一个非常常见的配置陷阱.与NGINX中的所有其他类似数组的指令类似，如果当前上下文中没有其他 add_header ，则仅继承 .

You've stepped onto a very common configuration pitfall of the add_header directive. Similar to all other array-like directives in NGINX, it is only inherited, if there is no other add_header in the current context.

典型的解决方案是(通过不可避免的复制)将所需的标头复制粘贴(在不可避免的位置):

The typical solution is to copy-paste (through inevitable duplication), the desired headers in a specific location:

在 FASTCGI_main.conf 中:

        fastcgi_no_cache $skip_cache;
        fastcgi_cache phpcache;
        fastcgi_cache_valid 200 1m;
        fastcgi_cache_valid 301 1m;
        fastcgi_cache_valid 302 1m;
        fastcgi_cache_valid 307 1m;
        fastcgi_cache_valid 404 1m;
        fastcgi_cache_use_stale error timeout invalid_header http_500 http_503;
        fastcgi_cache_min_uses 1;
        fastcgi_cache_methods GET HEAD;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        add_header X-FastCGI-Cache $upstream_cache_status;
        add_header Referrer-Policy 'origin';
        add_header "X-Frame-Options: sameorigin" always;

NGINX的这种非直觉行为已成为许多麻烦的根源.

This unintuitive behavior of NGINX has been a source of trouble for many.

以下是一些有趣的模块，它们解决了相同的问题(例如，更好的 add_header "):

Here are some modules of interest, which address the same issue (as in, "better add_header"):

• ngx_headers_more
• ngx_security_headers ，更适用于您的情况

• ngx_headers_more
• ngx_security_headers, more applicable to your case

这篇关于使用fastcgi缓存时在NGINX中添加安全标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！