在网站B上使用nginx proxy_pass来提供内容时，如何覆盖网站A的内容安全策略？ [英] How to Override Content-Security-Policy of Site A while using nginx proxy_pass on Site B for serving content?

问题描述

当我在站点B上使用nginx proxy_pass时，是否有方法可以覆盖域/站点A设置的内容安全策略。

Is there a way to override Content-Security-Policy set by the domain/site A while i am using nginx proxy_pass on Site B.

Site A defined Content-Security-Policy on their domain.
Site B acts as a reverse proxy for site A.

如何覆盖内容-从网站B提供内容时的安全策略？

How can i override Content-Security-Policy while serve content from site B ?

我如何在nginx代理服务器通行证中实现这一目标？

how can i achieve this in nginx proxy pass ?

我当前的nginx服务器块如下所示：

my current nginx server block looks like this

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

我尝试添加

add_header Content-Security-Policy default-src'self''unsafe-inline''unsafe-eval'

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'

eg

server {
server_name  proxy-domain.com.;

    location / {
      proxy_pass http://www.target-site.com/;
      proxy_set_header  Accept-Encoding ""; 
      proxy_set_header  X-Real-IP   $remote_addr;   
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   }
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'
}

，但如果我检查网站B的标头，则它显示网站B的修改后的Content-Security-Policy，但不会加载其他来源的内容。

but if i check headers of site B, then it shows modified Content-Security-Policy of site B but the content from other sources does not gets loaded., only headers are set.

为什么？

更新：
当我检查标题时获得2个Content-Security-Policy标头，首先由站点A和站点设置后来，我的一个B站点设置了一个Content-Security-Policy标头。

update: when i check headers i get 2 Content-Security-Policy headers , first are set by site A and then later one Content-Security-Policy headers set be my i.e. site B.

例如

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' apis.google.com www.google.com;
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudflare.com;

推荐答案

此问题似乎与 Nginx作为反向代理，删除Nginx上的X-Frame-Options标头线程邮件列表。该解决方案是 proxy_hide_header

This problem seems similar to the Nginx as reverse Proxy, remove X-Frame-Options header thread on the Nginx mailing list. That solution was proxy_hide_header

默认情况下，nginx不传递标头字段 Date， Server，
X-Pad和 X-Accel -...代理服务器对
客户端的响应。 proxy_hide_header指令设置了
不会传递的其他字段。相反，如果需要允许
传递字段，则可以使用proxy_pass_header指令。

By default, nginx does not pass the header fields "Date", "Server", "X-Pad", and "X-Accel-..." from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.

这篇关于在网站B上使用nginx proxy_pass来提供内容时，如何覆盖网站A的内容安全策略？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！