Usage of add_header in location block

[xavierdemoor]

I will try to do my best to describe the problem with my weird english ;)

In the file sites-available/somedomain.com.conf, line 87 there is an include of all nginx partials conf files (include /etc/nginx/nginx-partials/*.conf;) in a server block.

The file nginx-partials/security.conf contains several add_header directives to secure the website.

Later in the file sites-available/somedomain.com.conf, line 135-136 in location block there is two add_header directives too.

This is a problem because those add_header directives in a location block undoes all previous add_header directives in server or http blocks.

From nginx doc

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

The result are the add_header() directives in nginx-partials/security.conf are absent in the final HTTP response.

To test this behavior, add a custom header like add_header Server "Follow the white rabbit"; in nginx-partials/security.conf, request a page, no rabbit. Remove those add_header in location block and, voilà, follow the funny bunny !

To add headers inside location, you need to have:

• Headers More module built with Nginx and using more_set_headers instead of 'add_header OR
• Include nginx-partials/security.conf in the location block too

I hope I'm clear :)

[khalwat]

Fixed via https://github.com/nystudio107/nginx-craft/commit/e9ad19ab919adb9b2e22a02fcd3648a9ee3fe6c2