I have an nginx server block like this, and I am trying to use the proxy_hide_header directive to hide the Content-Security-Policy response header from the proxied server because I am not running an SSL server in a local environment and so the forced upgrade caused by that header is unhelpful.
server {
include conf.d/environment.conf;
listen 80;
server_name ~^app.*\.acme\..*;
location / {
proxy_hide_header "Content-Security-Policy";
proxy_pass $app_endpoint$uri$is_args$args;
proxy_http_version 1.1;
proxy_set_header Host $host;
}
}
If I test the nginx proxy with curl:
curl -s -v http://app.acme.io/app/path/ >/dev/null
then this happens:
> GET /app/path/ HTTP/1.1
> Host: app.acme.io
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200
< Server: nginx
< Date: Tue, 02 Jun 2020 14:38:16 GMT
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 4231
< Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: upgrade-insecure-requests
< Referrer-Policy: strict-origin-when-cross-origin
<
In other words, the proxy_hide_header directive is not having the expected effect.
[ I know the server block shown is the server block being processed, because it is the only one that references the proxied server of interest and I know that the proxied server is the one being hit. ]
Why isn't the proxy_hide_header directive working in this case?
0 Answers