Welcome! Log In Create A New Profile

Advanced

Re: Behavior of security headers

B.R.
January 26, 2015 11:06AM
Hello,

I guess the 'problem' you are struggling with is one you seem to inflict to
yourself.

As Valentin explained, and as it is the case with other directives as well (
fastcgi_param
<http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_param>
immediately comes to my mind), if you specify some add_header
<http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header>
directives at a certain level, it will cut-off the default inheritance
property, effectively *not* applying add_header directives defined at upper
levels.

The real question here is:
Why do you wanna avoid duplicating the common add_header fields over all
the locations?
The obvious answer being the 'ease' of maintenance is maybe flawed:

1. Two years later, to know the configuration applied to a location by a
certain directive, you would need to look at several places. If you forgot
you put some at server levels, you might end up with 'strange' behaviors.
Even more true if the maintenance is done by someone else...
2. If you want to replace the configuration of a directive amongst all
locations where it is defined, standard Linux (UNIX?) commands such as
grep, sed, cut, awk, etc. are there to handle such repetitive job.
3. Finally, generating similar or identical copies of the same blocks on
high volumes is generally not done by hand, but rather with tools such as
configuration management ones.


I suggest you watch the video 'Scalable configuration' from Igor Sysoev
https://youtu.be/YWRYbLKsS0I, recorded during the nginx user conference
from last year: that would maybe help you understand better what I
attempted to explain here.

What you sometimes think is a problem might actually save you from actually
getting into trouble without even noticing it...
What is 'unefficient' to human eyes might be 'irrelevant' machine-wise...
reverse might also be true. :o)
---
*B. R.*

On Mon, Jan 26, 2015 at 3:35 PM, okamzol <nginx-forum@nginx.us> wrote:

> OK, if I understand this right - in my original config I have 2 additional
> add_header (cache-control) directives in /image location. And these 2
> directives prevent that the security headers will be applied on server
> level? It seems so as this will explain why it works when I apply the
> sec.headers on location level...
>
> But how to handle domain-wide headers like those security headers and
> location specific ones like cache-control? I mean, without repeating all
> securty headers in each location?
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256270,256276#msg-256276
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Behavior of security headers

okamzol January 26, 2015 06:19AM

Re: Behavior of security headers

Valentin V. Bartenev January 26, 2015 08:32AM

Re: Behavior of security headers

okamzol January 26, 2015 08:38AM

Re: Behavior of security headers

Valentin V. Bartenev January 26, 2015 08:50AM

Re: Behavior of security headers

okamzol January 26, 2015 09:35AM

Re: Behavior of security headers

B.R. January 26, 2015 11:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready