Can't set HTTP headers for content cached by a NGINX reverse-proxy

Question

I have a Node.js application, running on port 8080, with a NGINX server running in front and acting as a caching reverse-proxy.

I want NGINX to cache everythnig except one page, the dashbaord of my application: /dashboard.

Here is my configuration so far:

    server {

    listen       80;
    server_name  mydomain.name;

    # SECURITY
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https://gravatar.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; object-src 'none'";

    ...

    proxy_set_header       Host $host;
    proxy_set_header   X-Forwarded-For $remote_addr;

    location / {
        add_header X-Proxy-Cache $upstream_cache_status;
        proxy_cache            STATIC;
        proxy_pass         http://127.0.0.1:8080;
    }

    location /dashboard {
        proxy_pass         http://127.0.0.1:8080/dashboard;
    }
}

Caching seems to be working fine, but the security headers (X-XSS-Protection, Content-Security-Policy, etc.) seem to be only added to /dashboard and not to cached pages like / or /login.

Is there somethin wrong with my current configuration? What can I do to fix the problem?

Joshua DeWald Joshua DeWald · Accepted Answer · 2016-04-25T16:46:11

Any "add_header" directives outside of a location block are ignored if there are "add_headers" within the location block being processed. As "/dashboard" has no "add_header", the server level one is in use.

Per the docs:

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

Can't set HTTP headers for content cached by a NGINX reverse-proxy

1 Answers