In the Nginx config file, set the X-Frame_Options to DENY and I do see the correct header in the response header
X-Frame-Options: DENY
I can still open my app in the iframe in a test html
<HTML>
<H1>
Test
</H1>
<iframe src="https://myapplication.com" title="description"></iframe>
</HTML>
Is this a valid test? Anything I missed?
Related
I am quite new to NGINX and within this topic it is still very hard for me to find the right buzzwords to have more successful search results. That is why I try to descibe my problem here and maybe some of you can point me in the right direction. For my own personal project I want to set up a website which is composed from several micro services (which have all their own frontend).
My idea was to have one NGINX sever running serving as web server to deliver some kind of HTML which then includes the content of the micro services via server side includes (SSI).
Since the SSI can only include files and local folders as I understand I added some proxy_pass to my local server configuration:
http {
server {
listen 80;
ssi on;
root /usr/share/nginx/html;
location /led-todo {
proxy_pass http://led-todo-frontend:3000/;
}
}
}
So since I have the NGINX and my micro services in the same docker-compose running the URL: http://led-todo-frontend:3000 works.
The issue I am facing now is that when access my index.html page:
<html>
<head>
</head>
<body>
<!--# include virtual="test.html"-->
<!--# include virtual="/led-todo/"-->
</body>
</html>
The index.html content of my micro service is actually included into the above shown html site.
The issue arises when the script tags within my included html content are resolved:
<script src="/static/js/bundle.js">
The browser tries to load them from:
http://localhost:8080/static/js/bundle.js
Instead of:
http://localhost:8080/led-todo/static/js/bundle.js
Which then would again trigger the proxy pass to the correct micro service.
I feel like there should be some parameters to define the root or something so that /static/js/bundle.js is not loaded from localhost:8080 but from localhost:8080/led-todo in the following part of the NGINX configuration:
location /led-todo {
proxy_pass http://led-todo-frontend:3000/;
}
I tried several things I found in the internet here but somehow I am missing the words to describe this issue so that I can find results...
Anyone know how to solve this issue, or know at least some buzzwords I can search for?
This isn't a very elegant solution, but you can try to on-the-fly rewriting that tags content with the ngx_http_sub_module, something like this could work:
location /led-todo/ {
proxy_pass http://led-todo-frontend:3000/;
sub_filter_once off;
# uncomment to do substitution inside CCS or JS content too
# sub_filter_types text/css application/javascript;
sub_filter 'href="/' 'href="/led-todo/';
sub_filter "href='/" "href='/led-todo/";
sub_filter 'src="/' 'src="/led-todo/';
sub_filter "src='/" "src='/led-todo/";
}
i'm setting up a web server that contains live video streaming embed into the html5 video tag. My workflow is to grab the rtsp video from an ip camera, decode it to a HLS format using ffmpeg and send the video to my server.
Nginx allows access to the video through a url, which I put in my video tag as a source.
Everything works perfectly, the only problem is that anyone can access the URL of the video and put that URL on their website without my permission.
Is there any way to only allow my domain to access, and block for example www.domain2.com to put it into their video tag or other framework thath they use? i'm think Nginx can do the job maybe.
Here are the codes of Nginx and my html in case is needed.
HTML:
<video id="player" class="video-js vjs-default-skin vjs-big-play-centered vjs-fluid" controls preload="none">
<source src="//mydomain.com/live/stream.m3u8" type="application/x-mpegURL" />
Nginx:
location /live {
types {
application/vnd.apple.mpegurl m3u8;
}
limit_conn addr 5;
alias /home/stream;
add_header Cache-Control no-cache;
add_header 'Access-Control-Allow-Origin' '*';
}
Many thanks guys!
If you have a fixed IP you could use the allow and deny command in nginx block, you could check how to use it here http://etapien.com/guides/nginx-allow-access-certain-ips/
location /live {
types {
application/vnd.apple.mpegurl m3u8;
}
# .. some config
allow 192.168.1.0/24; #your company subaddress
allow 10.1.1.0/16; #your company IP
deny all;
}
I have nginx server and want to prevent caching my website html files. How can i achieve this?
Additionally i want to ask where is nginx server config as usual located?
You can set the content to 0 as below which tells the browser to always load content from the web server
<meta http-equiv="expires" content="0">
Nginx config are located in /etc/nginx/ by default
With
ps -ef | grep nginx
you can find the nginx master process and see which config file it has loaded
to set an header, that disables caching of html use this:
location ~* \.(html)$ {
add_header Cache-Control "no-cache, must-revalidate";
}
I want to simultaneously optimize my site for HTTP/2 and HTTP/1.x. For HTTP/2 (and SPDY), since there are no additional round-trips for requests, I'd like to serve my CSS and JS files separately, to gain the benefit of independently caching each file. However, if I only did that, HTTP/1.x clients would suffer from additional round-trips; so for them, I'd like to serve my CSS and JS files concatenated.
Ideally, HTTP/2 users would be served this HTML:
<html>
<head>
<link rel="stylesheet" href="stylesheet-1.css">
<link rel="stylesheet" href="stylesheet-2.css">
</head>
<body>
<script src="script-1.js"></script>
<script src="script-2.js"></script>
</body>
</html>
And HTTP/1.x users would be served this HTML:
<html>
<head>
<link rel="stylesheet" href="all-stylesheets.css">
</head>
<body>
<script src="all-scripts.js"></script>
</body>
</html>
Is it possible to configure nginx to serve different HTML files depending on the client's protocol?
Yes, you can do so via the $server_protocol variable. I would usually recommend to interpolate file locations by variable expansion. But in this case I fear this would leave you open to injection attacks as the content of this variable seems to be copied verbatim from the request line.
There is a solution by exploiting the ngx_http_map_module, though. Assuming your site sits in /srv/www:
map $server_protocol $version {
default "1.1";
"HTTP/2.0" "2.0";
# extra case for any SPDY version
"~SPDY/" "2.0";
}
server {
listen [::]:80;
# The line below requires a working SSL configuration!
listen [::]:443 ssl http2;
server_name example.com
root /srv/www/http-1.1/htdocs;
location / {
root /srv/www/http-$version/htdocs;
try_files $uri $uri/ #fallback;
}
# fallback for HTTP/1.1 files. If this fails as well, we get a 404.
location #fallback {
try_files $uri $uri/ =404;
}
}
This would serve all requests out of /srv/www/http-2.0/htdocs for HTTP/2.0 requests and out of /srv/www/http-1.1/htdocs for all others. If a resource specially crafted for HTTP/2.0 cannot be found, the coresponding file for HTTP/1.1 is being served as a fallback.
I'm trying to move to nginx from apache but one of the features I most use in apache are the ssi includes. I'm testing how nginx deal with ssi but I'm having some problems...
If an include virtual file doesn't exist I'm getting a 404 page embeded, not even the [an error has occurred] message. With apache ssi, if the file doesn't exist an error is shown as comment.
The other point is, with apache SSIErrorMsg directive I can set at server config level the error text but I couldn't find this in nginx, just the <!--# config errmsg="custom error" --> inside the html. I coudn't see a directive like SSIErrorMsg in nginx documentation
nginx 404 ssi error :
<html>
<head>
<title>simple</title>
</head>
<body>
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
</body>
</html>
but in apache:
<html>
<head>
<title>simple</title>
</head>
<body>
<!-- Error -->
</body>
</html>
The error message only appears in nginx when for instance I write a ssi include with some typo like
<!--#include virtualll="example.html"-->
Is there a way to show an error instead of embedding the 404 file in case of not found?
This is the nginx server config:
server {
listen 80;
server_name demo.localhost;
ssi on;
ssi_silent_errors off;
location / {
root /var/www/demoweb;
}
}
If I set ssi_silent_errors off; nothing is shown but I want something like <!--Error--> as apache does