stackoom
  简体   繁体   中英

content security policy (csp) issue for subdomain with nginx as reverse proxy and node express as backand

 原文  2019-08-29 09:14:09       node.js/ express/ http-headers/ content-security-policy/ nginx-reverse-proxy

Question

I have an issue with content security policy headers. Scripts and styles are blocked.

It seams that nginx is overloading my express headers.

I tried a lot and my last state is this.

nginx server block 

...
location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;
}
....

express setup (domain name is changed to example.com)

const express = require('express');
const lusca = require('lusca');
const app = express();
...
app.use(lusca.xframe('SAMEORIGIN'));
app.use(lusca.xssProtection(true));
app.use(
  lusca.csp({
    policy: {
      "default-src": "'self' *.example.com",
      "img-src": "*"
    }
  })
);
...

In the browser console I get this:

content security policy the page’s settings blocked the loading of a resource at ("default-src")
content security policy the page’s settings blocked the loading of a resource at ("script-src")
content security policy the page’s settings blocked the loading of a resource at ("style-src")

In broswsers answer field (csp is twice!):

content-security-policy: default-src 'self' *.example.com; img-src *
content-security-policy: default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';

Does anyone have an idea why this configuration is not working? Or how to tell nginx to use express's headers and hold down the own?

1 answers

solution1
 0 ACCPTED  2020-03-17 12:49:07

I solved it by adding proxy_pass_header to the nginx server block:

location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header x-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    // THIS DIRECTIVE SOLVED IT
    proxy_pass_header content-security-policy;
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Nginx Reverse Proxy Subdomain for Node Applications Subdomain problems using nginx as a reverse proxy for node apps (NGINX) NodeJS Reverse Proxy Subdomain Nginx reverse proxy - config for subdomain nginx reverse proxy nodejs subdomain Content Security Policy issue node js react nginx reverse proxy Angular Node app mixed content http requests Content Security Policy (CSP) block eval method call IIS reverse proxy - 2 subdomain to 2 Node.js Handling redirects in Express to support nginx reverse proxy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM