nginx map of header from upstream goes to default - nginx

I want to have a conditional header based on a header I want to get from the upstream.
For some reason it always gets translated to default.
Configuration:
upstream service decides if a header called x-no-iframe-protection should exist.
main nginx:
map $http_x_no_iframe_protection $x_frame_options {
yes "";
default "SAMEORIGIN";
}
server {
...
add_header X-Frame-Options $x_frame_options;
...
}
No matter what I try - I get both headers:
$ curl -v myhost
...
< x-no-iframe-protection: yes
< x-frame-options: SAMEORIGIN
...
Just to clarify - I use the x-no-iframe-protection just as a trick to remove x-frame-options in specific cases. I'm OK with it staying (although it is not needed once parsed by nginx)
Anyways - how can I make it get caught in order to replace the header value?

An HTTP transaction contains request headers and response headers. From the context of your question you are setting the value of a response header based on the value of another response header (which was received from upstream).
Nginx stores request headers in variables with names beginning with $http_ and response headers in variables with names beginning with $sent_.
In addition, response headers received from upstream may also be stored in variables with names beginning with $upstream_http_.
In your configuration you use the variable $http_x_no_iframe_protection, whereas you should be using either $sent_x_no_iframe_protection or perhaps $upstream_http_x_no_iframe_protection.
All of the Nginx variables are documented here.

try using $upstream_x_no_iframe_protection to access upstream response header.

Related

How to change Content-length in body_filter_by_lua* in openresty

I am using openresty as a proxy server, which may change response from upstream. Directive header_filter_by_lua* is executed before body_filter_by_lua*. But I changed Content-length in body_filter_by_lua*, and headers has been sent at that time.
So how to set correct Content-length when response from upstream is changed in body_filter_by_lua*?
Thank you!
From https://github.com/openresty/lua-nginx-module#body_filter_by_lua:
When the Lua code may change the length of the response body, then it is required to always clear out the Content-Length response header (if any) in a header filter to enforce streaming output, as in
location /foo {
# fastcgi_pass/proxy_pass/...
header_filter_by_lua_block { ngx.header.content_length = nil }
body_filter_by_lua 'ngx.arg[1] = string.len(ngx.arg[1]) .. "\\n"';
}
I expect that nginx would use http://greenbytes.de/tech/webdav/rfc2616.html#chunked.transfer.encoding in this case (didn't test)

Nginx auth_request handler accessing POST request body?

I'm using Nginx (version 1.9.9) as a reverse proxy to my backend server. It needs to perform authentication/authorization based on the contents of the POST requests. And I'm having trouble reading the POST request body in my auth_request handler. Here's what I got.
Nginx configuration (relevant part):
server {
location / {
auth_request /auth-proxy;
proxy_pass http://backend/;
}
location = /auth-proxy {
internal;
proxy_pass http://auth-server/;
proxy_pass_request_body on;
proxy_no_cache "1";
}
}
And in my auth-server code (Python 2.7), I try to read the request body like this:
class AuthHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def get_request_body(self):
content_len = int(self.headers.getheader('content-length', 0))
content = self.rfile.read(content_len)
return content
I printed out the content_len and it had the correct value. However, the self.rfile.read() will simply hang. And eventually it will time out and returns "[Errno 32] Broken pipe".
This is how I posted test data to the server:
$ curl --data '12345678' localhost:1234
The above command hangs as well and eventually times out and prints "Closing connection 0".
Any obvious mistakes in what I'm doing?
Thanks much!
The code of the nginx-auth-request-module is annotated at nginx.com. The module always replaces the POST body with an empty buffer.
In one of the tutorials, they explain the reason, stating:
As the request body is discarded for authentication subrequests, you will
need to set the proxy_pass_request_body directive to off and also set the
Content-Length header to a null string
The reason for this is that auth subrequests are sent at HTTP GET methods, not POST. Since GET has no body, the body is discarded. The only workaround with the existing module would be to pull the needed information from the request body and put it into an HTTP header that is passed to the auth service.

Proxy a request - get a parameter from URL, add a header and update request URL using Nginx

I am looking for a way to do the following using Nginx:
Intercept a request
Read URL, parse it and read a value from it.
Add that value as a new request header
Update the URL (remove a particular value)
Forward the request to another server
e.g
Request URL - http://<<nginx>>/test/001.xml/25
Final URL - http://<<server>>/test/001.xml with header (x-replica: 25)
I have a nginx server setup with a upstream for the actual server. I was wondering how do I setup Nginx to achieve this ?
Since the data exists within the request URI itself (available by the $uri variable in nginx), you can parse that using the nginx lua module. nginx will need to be compiled with lua for this to work, see: openresty's nginx lua module.
From there you can use the set_by_lua_block or set_by_lua_file directive given $uri as a parameter.
In configuration this would look something like:
location / {
...
set_by_lua_file $var_to_set /path/to/script.lua $uri;
# $var_to_set would contain the result of the script from this point
proxy_set_header X-Replica $var_to_set;
...
}
In script.lua we can access the $uri variable from in the ngx.arg list (see these docs):
function parse_uri( uri )
parsed_uri = uri
-- Parse logic here
return parsed_uri
end
return parse_uri( ngx.arg[1] )
Similarly, you can modify this function or create another to make a variable with the updated $uri.

CORS and non 200 statusCode

I have CORS working well with Nginx. The APIs are designed to send non HTTP 200 status code, for example, 401, 404, etc., in case of bad input. The problem is that Chrome cancels/abort the request if it receives a non HTTP 200 status code. Due to this reason, I am not able to show the exact error on the Web client.
What is the way around for CORS non 200 status code errors?
By default Nginx only adds headers for requests it considers successful. You can make it add the header without regard for the response code, by adding the always parameter to your add_header directive, e.g.
add_header 'Access-Control-Allow-Origin' '*' always;
Adding the always parameter to the Access-Control-Allow-Origin header is not enough. The always parameter needs to be added to the headers that need to be always added. In some cases, you will need to add the always parameter to the Access-Control-Allow-Credentials header.
add_header 'Access-Control-Allow-Credentials' 'true' always;
You need to use the more_set_headers module.
with -s you can scpecify more status code
more_set_headers -s '404,400,403' 'Access-Control-Allow-Origin: http://domain.com';
However if you don't have installed this module in nginx you need to recompile it.
to compile it :
wget http://nginx.org/download/nginx-1.7.8.tar.gz
git clone https://github.com/openresty/headers-more-nginx-module.git
tar -xzvf nginx-1.7.8.tar.gz
cd nginx-1.7.8
./configure --prefix=/opt/nginx --add-module=/path/to/headers-more-nginx-module
make
make install

How can remove Nginx from http response header?

I want to remove Nginx from http response header. I can Hide my Nginx version but I want to hide Nginx too.
Thanks
Use the ngx_headers_more module - see http://wiki.nginx.org/NginxHttpHeadersMoreModule.
It allows you to configure any arbitrary headers you'd like - both request and response headers. Once you've installed it (and thus recompiled your version of Nginx), use the following configuration:
more_set_headers 'Server: my-server';
Alternatively, if you don't want a Server header at all, then clear it using:
more_clear_headers 'Server';

Resources