Welcome! Log In Create A New Profile

Re: Behavior of security headers

Forum List Message List New Topic Print View

B.R.

January 26, 2015 11:06AM

Hello,

I guess the 'problem' you are struggling with is one you seem to inflict to
yourself.

As Valentin explained, and as it is the case with other directives as well (
fastcgi_param
<http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_param>
immediately comes to my mind), if you specify some add_header
<http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header>
directives at a certain level, it will cut-off the default inheritance
property, effectively *not* applying add_header directives defined at upper
levels.

The real question here is:
Why do you wanna avoid duplicating the common add_header fields over all
the locations?
The obvious answer being the 'ease' of maintenance is maybe flawed:

1. Two years later, to know the configuration applied to a location by a
certain directive, you would need to look at several places. If you forgot
you put some at server levels, you might end up with 'strange' behaviors.
Even more true if the maintenance is done by someone else...
2. If you want to replace the configuration of a directive amongst all
locations where it is defined, standard Linux (UNIX?) commands such as
grep, sed, cut, awk, etc. are there to handle such repetitive job.
3. Finally, generating similar or identical copies of the same blocks on
high volumes is generally not done by hand, but rather with tools such as
configuration management ones.

I suggest you watch the video 'Scalable configuration' from Igor Sysoev
https://youtu.be/YWRYbLKsS0I, recorded during the nginx user conference
from last year: that would maybe help you understand better what I
attempted to explain here.

What you sometimes think is a problem might actually save you from actually
getting into trouble without even noticing it...
What is 'unefficient' to human eyes might be 'irrelevant' machine-wise...
reverse might also be true. :o)
---
*B. R.*

On Mon, Jan 26, 2015 at 3:35 PM, okamzol <nginx-forum@nginx.us> wrote:

> OK, if I understand this right - in my original config I have 2 additional
> add_header (cache-control) directives in /image location. And these 2
> directives prevent that the security headers will be applied on server
> level? It seems so as this will explain why it works when I apply the
> sec.headers on location level...
>
> But how to handle domain-wide headers like those security headers and
> location specific ones like cache-control? I mean, without repeating all
> securty headers in each location?
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256270,256276#msg-256276
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Behavior of security headers	okamzol	January 26, 2015 06:19AM
Re: Behavior of security headers	Valentin V. Bartenev	January 26, 2015 08:32AM
Re: Behavior of security headers	okamzol	January 26, 2015 08:38AM
Re: Behavior of security headers	Valentin V. Bartenev	January 26, 2015 08:50AM
Re: Behavior of security headers	okamzol	January 26, 2015 09:35AM
Re: Behavior of security headers	B.R.	January 26, 2015 11:06AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

itpp2012 , merlock

Guests: 176

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018