Move add_header directives to location blocks in proxy config.

Move the add_header directives to the location blocks in the nginx proxy config, because add_header directives in location blocks override add_header directives in the server block. See e.g. https://serverfault.com/questions/400197/add-header-directives-in-location-overwriting-add-header-directives-in-server. Fixes #8929.
ICTU · Jul 4, 2024 · 9bf7a68 · 9bf7a68
1 parent 9e7f2e5
commit 9bf7a68
Show file tree

Hide file tree

Showing 4 changed files with 424 additions and 4 deletions.
diff --git a/components/proxy/default.conf.template b/components/proxy/default.conf.template
@@ -1,33 +1,49 @@
 server {
     listen          ${PROXY_PORT};
-    add_header      Strict-Transport-Security "max-age=31536000;";
-    add_header      X-XSS-Protection "1; mode=block";
-    add_header      X-Content-Type-Options "nosniff";
-    add_header      X-Frame-Options "DENY";
     gzip            on;
     server_tokens   off;
     access_log      off;
 
     location /api/internal/nr_measurements {
+        add_header          Strict-Transport-Security "max-age=31536000;";
+        add_header          X-XSS-Protection "1; mode=block";
+        add_header          X-Content-Type-Options "nosniff";
+        add_header          X-Frame-Options "DENY";
         gzip                off;
         proxy_http_version  1.1;
         proxy_read_timeout  24h;
         proxy_set_header    Connection "";
         proxy_pass          http://${API_SERVER_HOST}:${API_SERVER_PORT}/api/internal/nr_measurements;
     }
     location /api/internal/datamodel {
+        add_header          Strict-Transport-Security "max-age=31536000;";
+        add_header          X-XSS-Protection "1; mode=block";
+        add_header          X-Content-Type-Options "nosniff";
+        add_header          X-Frame-Options "DENY";
         add_header          Cache-Control "no-cache";
         proxy_pass          http://${API_SERVER_HOST}:${API_SERVER_PORT}/api/internal/datamodel;
     }
     location /api/internal/logo {
+        add_header          Strict-Transport-Security "max-age=31536000;";
+        add_header          X-XSS-Protection "1; mode=block";
+        add_header          X-Content-Type-Options "nosniff";
+        add_header          X-Frame-Options "DENY";
         add_header          Cache-Control "no-cache";
         proxy_pass          http://${API_SERVER_HOST}:${API_SERVER_PORT}/api/internal/logo;
     }
     location /api {
+        add_header          Strict-Transport-Security "max-age=31536000;";
+        add_header          X-XSS-Protection "1; mode=block";
+        add_header          X-Content-Type-Options "nosniff";
+        add_header          X-Frame-Options "DENY";
         add_header          Cache-Control "no-store";
         proxy_pass          http://${API_SERVER_HOST}:${API_SERVER_PORT}/api;
     }
     location / {
+        add_header          Strict-Transport-Security "max-age=31536000;";
+        add_header          X-XSS-Protection "1; mode=block";
+        add_header          X-Content-Type-Options "nosniff";
+        add_header          X-Frame-Options "DENY";
         add_header          Cache-Control "no-store";
         proxy_pass          http://${FRONTEND_HOST}:${FRONTEND_PORT}/;
     }