search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.67k stars 2.64k forks source link

Response headers duplicate when using the add_header nginx config #2896

Open nickelswitte opened 1 year ago

nickelswitte commented 1 year ago

Checklist

Describe the bug

When adding headers to the response via the advanced custom nginx configuration, the headers are duplicated in the response, rather than overwritten or appended, resulting in unusual behaviour.

Nginx Proxy Manager Version

2.10.2

To Reproduce Steps to reproduce the behavior:

  1. Set the following inside the custom nginx config, as found in this issue #1183 

    location / {
# Force SSL
include conf.d/include/force-ssl.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
add_header X-Frame-Options "ALLOW-FROM my.domain.tld";
add_header Content-Security-Policy "frame-ancestors my.domain.tld";
# Proxy!
include conf.d/include/proxy.conf;
}

  2. Load the page and inspect the response in the browser:

    HTTP/2 200 OK
server: openresty
date: Sun, 07 May 2023 10:32:39 GMT
content-type: text/html
content-encoding: gzip
x-frame-options: sameorigin #DUPLICATE
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
content-security-policy: default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob:; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none' #DUPLICATE
referrer-policy: same-origin
permissions-policy: interest-cohort=()
x-frame-options: ALLOW-FROM my.domain.tld #DUPLICATE
content-security-policy: frame-ancestors my.domain.tld #DUPLICATE
X-Firefox-Spdy: h2

Expected behavior

That the header will be appended or replaced, or rather generally, that the browser will accept the duplicate header in some way.

github-actions[bot] commented 9 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

nickelswitte commented 8 months ago

I am still interested in an response on this

dhruvb14 commented 6 hours ago

I got this working finally in NPM

The magic is proxy_hide_header X-Frame-Options;

I added that to the top with the other headers and nothing in advanced tab just in the location > advanced tab

Screenshot 2024-10-26 at 12 00 37 PM