nginx map of header from upstream goes to default

Question

I want to have a conditional header based on a header I want to get from the upstream. For some reason it always gets translated to default.

Configuration: upstream service decides if a header called x-no-iframe-protection should exist.

main nginx:

map $http_x_no_iframe_protection $x_frame_options {
    yes "";
    default "SAMEORIGIN";
}

server {
    ...
    add_header X-Frame-Options $x_frame_options;
    ...
}

No matter what I try - I get both headers:

$ curl -v myhost
...
< x-no-iframe-protection: yes
< x-frame-options: SAMEORIGIN
...

Just to clarify - I use the x-no-iframe-protection just as a trick to remove x-frame-options in specific cases. I'm OK with it staying (although it is not needed once parsed by nginx)

Anyways - how can I make it get caught in order to replace the header value?

Look [here](https://stackoverflow.com/questions/53754229/using-a-header-to-filter-proxied-response-headers), I think this question is similar to yours. — Ivan Shatsky, Nov 13 '19 at 06:48
`$http_x_no_iframe_protection` is the value of a request header, you may have some luck with `$sent_http_x_no_iframe_protection` which is the value of the response header. — Richard Smith, Nov 13 '19 at 09:02
@RichardSmith - it worked! please formulate your comment as answer so I can accept it — Boaz, Nov 26 '19 at 20:13

score 3 · Accepted Answer · answered Nov 26 '19 at 20:25

An HTTP transaction contains request headers and response headers. From the context of your question you are setting the value of a response header based on the value of another response header (which was received from upstream).

Nginx stores request headers in variables with names beginning with $http_ and response headers in variables with names beginning with $sent_.

In addition, response headers received from upstream may also be stored in variables with names beginning with $upstream_http_.

In your configuration you use the variable $http_x_no_iframe_protection, whereas you should be using either $sent_x_no_iframe_protection or perhaps $upstream_http_x_no_iframe_protection.

All of the Nginx variables are documented here.

score 0 · Answer 2 · answered Nov 15 '19 at 02:30

0

try using $upstream_x_no_iframe_protection to access upstream response header.

answered Nov 15 '19 at 02:30

Chang Sheng

110
6

nginx map of header from upstream goes to default

2 Answers2