Skip to content

Fix gixy warnings regardding add_header in nginx example config#1213

Closed
martinetd wants to merge 1 commit intocryptpad:stagingfrom
martinetd:nginx_config
Closed

Fix gixy warnings regardding add_header in nginx example config#1213
martinetd wants to merge 1 commit intocryptpad:stagingfrom
martinetd:nginx_config

Conversation

@martinetd
Copy link
Copy Markdown
Contributor

@martinetd martinetd commented Aug 26, 2023
edited by ghost
Loading

Fixes: #604

@davidbenque davidbenque requested a review from a user August 28, 2023 12:53
@davidbenque
Copy link
Copy Markdown
Contributor

davidbenque commented Aug 28, 2023

Note that the stray '^' is already fixed in 5.4.1

@martinetd
Fix gixy warnings in nginx example config
ca850ba 
gixy warns about add_header: add_header in a sublevel drops all headers set at
parent level, see this link for details:
https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
  * /api/ location was setting CORP/COEP to the same value as server
    level, just drop the add_header calls there
  * blob/block OPTIONS was missing dropping some headers, repeat the
    ones from top level

Fixes: cryptpad#604
@martinetd
Copy link
Copy Markdown
Contributor Author

martinetd commented Aug 28, 2023

Note that the stray '^' is already fixed in 5.4.1

Ah, figured it couldn't be broken for long but I probably should have checked :)

I've rebased and remved this part.

@ghost ghost changed the base branch from main to staging August 30, 2023 08:30
@ghost ghost added the Reverse proxy Web server or reverse proxy issues label Aug 30, 2023
@ghost ghost changed the title Fix nginx example config Fix gixy warnings regardding add_header in nginx example config Sep 4, 2023
@ghost ghost removed their request for review September 4, 2023 14:10
@ghost ghost self-assigned this Sep 4, 2023
@ghost
Copy link
Copy Markdown

ghost commented Sep 4, 2023

Hello,

Thanks for your contribution, we tested your changes and we have a few issues with them. Mainly, duplicating all headers, that we know from experience that can cause issues with some web browsers.

image

We won't be merging your proposed changes but instead will be proposing a much more simpler Nginx example file which will pass all requests to Node directly:

location / {
    proxy_pass            http://localhost:3000;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      Host $host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size  150m;

    proxy_http_version    1.1;
    proxy_set_header      Upgrade $http_upgrade;
    proxy_set_header      Connection upgrade;
}

Thanks for your interest anyway!

@ghost ghost closed this Sep 4, 2023
@martinetd
Copy link
Copy Markdown
Contributor Author

martinetd commented Sep 4, 2023

Oh, so requests going to node should either add a bunch of proxy_hide_header, or the behaviour of dropping some headers from nginx was actually useful... I wonder if there's a way to explain that to gixy.. Well, won't be a problem with the new config anyway, thanks.

I'll test a basic nginx config as I don't need any performance on my end (feeling it's a bit of a shame to not at least serve blocks and the dozens of js files directly, but won't matter much to me)
Just to be clear, it basically skips all the alternative backend ports (safe origin port and ws port) and should just work anyway?

@martinetd martinetd mentioned this pull request Sep 4, 2023
Merged
11 tasks
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Reverse proxy Web server or reverse proxy issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

example nginx config drops security headers in nested sections

2 participants

@martinetd @davidbenque