1

I'm trying to add some headers to nginx config, but now only the one header is working(Strict-Transport-Security).

upstream puma_muninn {
  server app:3000;
}

server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen  443 default ssl;
  server_name production.test.com;
  root /var/www/muninn/public;

  ssl on;

  ssl_certificate /var/www/muninn/test.crt;
  ssl_certificate_key /var/www/muninn/test.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers   on;

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  try_files $uri/index.html $uri @puma_muninn;

  location @puma_muninn {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'self';";
    add_header 'Referrer-Policy' 'origin';


    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    access_log /var/www/muninn/log/nginx.access.log;
    error_log /var/www/muninn/log/nginx.error.log;
  }

enter image description here

If I add some headers on my rails side:

config.action_dispatch.default_headers = {
  'X-Frame-Options' => 'SAMEORIGIN'
}

It turns off any headers from nginx.

Ideas?

Croaton
  • 1,812
  • 3
  • 18
  • 28

1 Answers1

0

To ensure all traffic your application has is treated equally as far as security goes, move those add_header declarations outside the location block and avoid setting headers in your application that are being set on NGINX. Your file should look something like this:

upstream puma_muninn {
  server app:3000;
}

server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen  443 default ssl;
  server_name production.test.com;
  root /var/www/muninn/public;

  ssl on;

  ssl_certificate /var/www/muninn/test.crt;
  ssl_certificate_key /var/www/muninn/test.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv2 SSLv3 TLSv1;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers   on;

  client_max_body_size 4G;
  keepalive_timeout 10;

  error_page 500 502 504 /500.html;
  error_page 503 @503;

  try_files $uri/index.html $uri @puma_muninn;
  # Equal security to all requests
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Content-Security-Policy "default-src 'self';";
  add_header 'Referrer-Policy' 'origin';

  location @puma_muninn {
    # No need to especify security headers here, since global config will take care of the rest.
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    access_log /var/www/muninn/log/nginx.access.log;
    error_log /var/www/muninn/log/nginx.error.log;
  }

If you are enforcing all SSL/TSL, cookies and HSTS security in NGINX you should remove security headers from your Rails application, as you may have followed similar steps as this answer. Duplicate headers can trigger a false negative or even a real one in those automatic site analysis tools.

ErvalhouS
  • 4,178
  • 1
  • 22
  • 38