Merge pull request perusio#213 from colans/issue-212

Issue perusio#212: Move header-adding to nginx.conf to avoid losing headers
swarad07 · Jun 28, 2015 · 3009c0e · 3009c0e
2 parents 692bbc0 + ce8a963
commit 3009c0e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 22 deletions.
diff --git a/apps/drupal/microcache_fcgi.conf b/apps/drupal/microcache_fcgi.conf
@@ -23,29 +23,10 @@ fastcgi_ignore_headers Cache-Control Expires;
 ## Bypass the cache.
 fastcgi_cache_bypass $no_cache;
 fastcgi_no_cache $no_cache;
-## Add a cache miss/hit status header.
-add_header X-Micro-Cache $upstream_cache_status;
+
 ## To avoid any interaction with the cache control headers we expire
 ## everything on this location immediately.
 expires epoch;
-## Enable clickjacking protection in modern browsers. Available in
-## IE8 also. See
-## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
-## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-## Uncomment the line below if you're not using media streaming.
-## For sites *not* using frames uncomment the line below.
-#add_header X-Frame-Options DENY;
-## For sites *using* frames uncomment the line below.
-#add_header X-Frame-Options SAMEORIGIN;
-
-## Block MIME type sniffing on IE.
-add_header X-Content-Options nosniff;
-
-## Strict Transport Security header for enhanced security. See
-## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-## whichever age you want.
-## Uncomment the line below if you're using HTTPS.
-#add_header Strict-Transport-Security max-age=7200;
 
 ## If you're using a Nginx version greater than 1.1.11 then uncomment
 ## the line below. See:

diff --git a/nginx.conf b/nginx.conf
@@ -163,9 +163,17 @@ http {
     ## line below.
     add_header X-Frame-Options DENY;
 
+    ## Enable this if using HTTPS. See sites-available/example.com.conf
+    ## for details.
+    #add_header Strict-Transport-Security "max-age=7200";
+
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;
 
+    ## Add a cache miss/hit status header. This can be disabled if not including
+    ## any of the apps/drupal/microcache* files.
+    add_header X-Micro-Cache $upstream_cache_status;
+
     ## Include the upstream servers for PHP FastCGI handling config.
     ## This one uses the FCGI process listening on TCP sockets.
     include upstream_phpcgi_tcp.conf;

diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf
@@ -173,8 +173,11 @@ server {
 
     ## Strict Transport Security header for enhanced security. See
     ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
-    ## whichever age you want.
-    add_header Strict-Transport-Security "max-age=7200";
+    ## whichever age you want. However, we can't set this here because adding
+    ## a header will drop all other headers set earlier. See
+    ## http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+    ## for details.  Instead, uncomment this in nginx.conf.
+    ## add_header Strict-Transport-Security "max-age=7200";
 
     root /var/www/sites/example.com;
     index index.php;