我一直在努力我的nginxconfiguration了一段时间,但不知何故,我似乎有我的头混合。 我在ubuntu 14.04上运行了使用nginx 1.9.12的http / 2并获得了稳定的A评分 。 但是,即使我得到了大部分的头部修改,我得到一个F头部安全 。
我想这可能与我复制粘贴的CORSconfiguration有关 。 但我只是看不到。
看到下面我的configuration文件与一些缩进的path和一些删除的错误页面指令,使其更简单。
任何帮助表示赞赏。
# settings # server_tokens off; # http to https redirect # server { listen 80; server_name gel.westpacgroup.com.au; return 301 https://$host$request_uri; } # ssl and http2 config # server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name gel.westpacgroup.com.au; ssl on; ssl_certificate /path/to/fullchain.pem; ssl_certificate_key /path/to/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /path/to/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always; # prevent clickjacking attacks add_header X-Frame-Options 'SAMEORIGIN'; # disallow circumventing declared MIME types add_header X-Content-Type-Options nosniff; # X-XSS-Protection add_header X-XSS-Protection '1; mode=block'; # root server # location / { root /path/to/; index index.html index.htm; # Wide-open CORS config for nginx # if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; # Om nom nom cookies add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; # Custom headers and headers various browsers *should* be OK with but aren't add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; # Tell client that this pre-flight info is valid for 20 days add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } # redirect server error pages to the static error pages # # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } } 它看起来像我这些头还没有被添加 – strict-transport-security等。要使用add_header你需要从包含headers_more模块的源代码生成nginx。 你做到了吗? 如果没有, 这里有一个教程 。
(更新 – 这是必需的,不知道为什么)你可能想尝试移动add_headers在一个位置块内,看看是否工作得更好。
做一个简单的testing – 在你的主要位置添加一个简单的,无条件的头文件,并使用curl或Firefox和“Live HTTP Headers”扩展来查看它。
add_header Z_TESTHEADER "value"