堆栈内存溢出
  简体   繁体   English

子域的内容安全策略 (csp) 问题,nginx 作为反向代理,node express 作为 backand

[英]content security policy (csp) issue for subdomain with nginx as reverse proxy and node express as backand

 原文  2019-08-29 09:14:09       node.js/ express/ http-headers/ content-security-policy/ nginx-reverse-proxy

问题描述

I have an issue with content security policy headers.我有内容安全策略标头的问题。 Scripts and styles are blocked.脚本和样式被阻止。

It seams that nginx is overloading my express headers.看来 nginx 正在重载我的快递标头。

I tried a lot and my last state is this.我尝试了很多,我最后的状态是这样。

nginx server block nginx 服务器块

...
location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;
}
....

express setup (domain name is changed to example.com)快速设置(域名更改为example.com)

const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
  lusca.csp({
    policy: {
      "default-src": "'self' *.example.com",
      "img-src": "*"
    }
  })
);
...

In the browser console I get this:在浏览器控制台中,我得到了这个:

content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")

In broswsers answer field (csp is twice!):在浏览器回答字段中(csp 是两次!):

content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';

Does anyone have an idea why this configuration is not working?有谁知道为什么这个配置不起作用? Or how to tell nginx to use express's headers and hold down the own?或者如何告诉nginx使用express的标题并按住自己的?

1 个解决方案

解决方案1
 0 已采纳  2020-03-17 12:49:07

I solved it by adding proxy_pass_header to the nginx server block:我通过将proxy_pass_header添加到 nginx 服务器块来解决它:

location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    // THIS DIRECTIVE SOLVED IT
    proxy_pass_header content-security-policy;
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用于节点应用程序的Nginx反向代理子域 - Nginx Reverse Proxy Subdomain for Node Applications 使用nginx作为节点应用程序的反向代理的子域问题 - Subdomain problems using nginx as a reverse proxy for node apps (NGINX) NodeJS 反向代理子域 - (NGINX) NodeJS Reverse Proxy Subdomain Nginx 反向代理 - 配置子域 - Nginx reverse proxy - config for subdomain nginx 反向代理nodejs子域 - nginx reverse proxy nodejs subdomain 内容安全策略问题节点 js 反应 - Content Security Policy issue node js react nginx 反向代理 Angular Node app 混合内容 http 请求 - nginx reverse proxy Angular Node app mixed content http requests 内容安全策略(CSP)阻止评估方法调用 - Content Security Policy (CSP) block eval method call IIS 反向代理 - 2 个子域到 2 个 Node.js - IIS reverse proxy - 2 subdomain to 2 Node.js 在Express中处理重定向以支持Nginx反向代理 - Handling redirects in Express to support nginx reverse proxy
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM