Forum: NGINX Nginx as reverse Proxy, remove X-Frame-Options header

0fb99e1bb1e09d6fc974c67a1c92fffb?d=identicon&s=25 basti (Guest)
on 2014-01-09 11:03
(Received via mailing list)
Hello,

I have a closed-source Webapp that run on an IIS-Webserver and send a
"X-Frame-Options: SAMEORIGIN" header.
I also have to implement this Webapp in my own, Frame based Application.

So I try to use nginx as a reverse Proxy, but the X-Frame-Options Header
is still send.
How can I remove his header?
I have try "proxy_hide_header X-Frame-Options;" without success.

Regards,
Basti
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-01-09 11:22
(Received via mailing list)
On 9 January 2014 10:03, basti <black.fledermaus@arcor.de> wrote:
> Hello,
>
> I have a closed-source Webapp that run on an IIS-Webserver and send a
> "X-Frame-Options: SAMEORIGIN" header.
> I also have to implement this Webapp in my own, Frame based Application.
>
> So I try to use nginx as a reverse Proxy, but the X-Frame-Options Header
> is still send.
> How can I remove his header?
> I have try "proxy_hide_header X-Frame-Options;" without success.

You'll find the answer in the documentation:
http://wiki.nginx.org/NginxHttpProxyModule#proxy_set_header

J
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-01-09 12:45
(Received via mailing list)
Hello!

On Thu, Jan 09, 2014 at 11:03:11AM +0100, basti wrote:

> Hello,
>
> I have a closed-source Webapp that run on an IIS-Webserver and send a
> "X-Frame-Options: SAMEORIGIN" header.
> I also have to implement this Webapp in my own, Frame based Application.
>
> So I try to use nginx as a reverse Proxy, but the X-Frame-Options Header
> is still send.
> How can I remove his header?
> I have try "proxy_hide_header X-Frame-Options;" without success.

The proxy_hide_header directive is expected to work (and works
here, just tested).  If it doesn't work for you, you may want to
provide more details, see http://wiki.nginx.org/Debugging for some
hints.

--
Maxim Dounin
http://nginx.org/
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-01-09 12:57
(Received via mailing list)
Hello!

On Thu, Jan 09, 2014 at 10:21:43AM +0000, Jonathan Matthews wrote:

> > I have try "proxy_hide_header X-Frame-Options;" without success.
>
> You'll find the answer in the documentation:
> http://wiki.nginx.org/NginxHttpProxyModule#proxy_set_header

The X-Frame-Options header is returned by a server-side
application, hence the proxy_hide_header is correct solution,
while proxy_set_header isn't.

And, being pedantic, wiki != documentation.  Here are
links to the documentation:

http://nginx.org/r/proxy_set_header
http://nginx.org/r/proxy_hide_header

--
Maxim Dounin
http://nginx.org/
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-01-09 13:13
(Received via mailing list)
On 9 January 2014 11:57, Maxim Dounin <mdounin@mdounin.ru> wrote:
>> >
> while proxy_set_header isn't.
My bad. I was pretty sure I'd had success with 'set foo ""' where
'hide' hadn't worked in the past.

> And, being pedantic, wiki != documentation.  Here are
> links to the documentation:
>
> http://nginx.org/r/proxy_set_header
> http://nginx.org/r/proxy_hide_header

Ack that. I'll personally keep linking to the wiki until the
documentation

* is significantly better internally hyper-linked;
* has documentation targeted soley towards the open source nginx,
without having to skip to the end of each directive to check for "This
functionality is available as part of our commercial subscription
only";
* has useful pages such as IfIsEvil integrated into it.

I may be wrong about that third one still needing doing, but I
couldn't find IfIsEvil anywhere but the wiki. The presence of a
top-level pointer on each wiki page to http://nginx.org/en/docs/ is
pretty useless, too - it needs to point to the appropriate place in
the docs to get people to start using them.

Didn't you guys pick up several millions a while ago, which was
announced as being somewhat earmarked for improving documentation? :-)

</rant>
852dc51f145bb11af7be64b5ee3fbe88?d=identicon&s=25 nano (Guest)
on 2014-01-09 13:24
(Received via mailing list)
On 9/01/2014 11:12 PM, Jonathan Matthews wrote:
>>>> I also have to implement this Webapp in my own, Frame based Application.
>> application, hence the proxy_hide_header is correct solution,
>
> couldn't find IfIsEvil anywhere but the wiki. The presence of a
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

I share your opinion regarding nginx documentation. It is woeful.
Particularly when compared to other exemplary open source projects, such
as Postfix and FreeBSD. My inability to easily transfer my webservers to
nginx from Apache, due to (my own shortcomings compounded by) terribly
inadequate documentation, nearly made the transition impossible. Insult
was only added to injury when, after transferring some sites to the
recommended nginx, I found very little performance enhancement.
Admittedly, I am most probably not properly utilizing the application
and will only see improvements when my own abilities allow it.
Nevertheless, the documentation needs work. It is prudent to accommodate
less technically aware users.

--
syn.bsdbox.co
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-01-09 13:48
(Received via mailing list)
On 9 January 2014 12:24, nano <nanotek@bsdbox.co> wrote:
> I share your opinion regarding nginx documentation. It is woeful.

Sorry chap - I didn't say that and I don't think that. There may well
be some specific target audiences not well served by the aggregate of
the current (psuedo-)documentation sources, but that doesn't mean they
themselves are /that/ bad. My problems with them are specific and
fixable, and not just "make it better!"

J
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-01-09 13:49
(Received via mailing list)
Hello!

On Thu, Jan 09, 2014 at 12:12:09PM +0000, Jonathan Matthews wrote:

> >> > I also have to implement this Webapp in my own, Frame based Application.
> > application, hence the proxy_hide_header is correct solution,
>
> couldn't find IfIsEvil anywhere but the wiki. The presence of a
> top-level pointer on each wiki page to http://nginx.org/en/docs/ is
> pretty useless, too - it needs to point to the appropriate place in
> the docs to get people to start using them.
>
> Didn't you guys pick up several millions a while ago, which was
> announced as being somewhat earmarked for improving documentation? :-)

And that's why we actually have the documentation in English.  :)
Additionally, compared to what we have previously it is already
significantly imporoved.

As I already explained, the problem with wiki pages which
duplication documentation is a bit rot.  There are lots of
improvements in the documentation which isn't in wiki, most
obviously - there are no new directives.  And this bit rot confuse
people more and more.

The generic plan is to avoid the duplication altogether,
preserving wiki for useful additional content.

--
Maxim Dounin
http://nginx.org/
852dc51f145bb11af7be64b5ee3fbe88?d=identicon&s=25 nano (Guest)
on 2014-01-09 14:19
(Received via mailing list)
On 9/01/2014 11:47 PM, Jonathan Matthews wrote:
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>

Nonetheless, I find the official documentation lacking. It is good that
you do not. Fortunately, there are alternative resources that make
deployment of nginx servers achievable for users lacking technical
proficiency, like myself.

--
syn.bsdbox.co
7e5b9e3ef674f859551ae0e283061b52?d=identicon&s=25 Jim Ohlstein (Guest)
on 2014-01-09 16:21
(Received via mailing list)
Hello,

On 1/9/14, 7:24 AM, nano wrote:

[snip]

> Nevertheless, the documentation needs work. It is prudent to accommodate
> less technically aware users.
>

You may not see much "performance enhancement" if your server was not
heavily loaded or if it is using PHP to serve static content, such as
WordPress used to do up until version 3.4 and continues to do on some
sites that were upgraded from older versions to the current version.
Also, if you are running a PHP daemon and a MySQL server on the same
server as you run nginx, they may contribute more to server load than
does nginx. Optimizing them, especially MySQL, may give you significant
"performance enhancement". I mention WordPress because you link to a
WordPress site in your signature. Since your domain was first registered
in November and since you only have a few posts most of which are
rudimentary, I am going to doubt that you don't have a lot of traffic.
Alexa does not even have data on your site yet, it's so new. Plus using
a self signed certificate and creating SSL links on your home page -
http://bsdbox.co - give the big red page on Chrome. I have no desire to
add an exception for a two month old domain. Spring for $4.99/year at
https://www.cheapssls.com/domain-only.html and get a PositiveSSL
certificate.

The shortcomings are yours indeed. The documentation is for people who
understand the concepts and is not meant to be a replacement for a "for
Dummies" book. I believe that (almost) every directive is covered. If
you do not understand what the directives mean, there are many ways to
figure it out. In such a case, Google is your friend.

Comparing nginx documentation to FreeBSD documentation is a bit
unrealistic. FreeBSD documentation is written by volunteers of which
there are dozens if not hundreds. The entire project is a community
effort. Despite that, some is out of date. For instance, look at
http://www5.us.freebsd.org/doc/handbook/svn-mirrors.html. Do you see
svn0.eu.FreeBSD.org listed there, or its fingerprint? There may be other
servers missing as well. I have found many other examples but that's the
first that comes to mind.

Anyone who wants to *volunteer* to improve the documentation should do
so. I'm sure the devs would at least look at any provided patches.

Of course, you can always create a community effort of your own and
organize your own wiki or alternate set of documentation. Or perhaps you
can apply for a job at Nginx.com to work on upgrading the documentation
to your standards.

The original purpose of the wiki was to serve as English documentation
when there was little to none. Sure, it had a bit more hand holding, but
it really has become superfluous at least in terms of providing up to
date documentation, at least IMMHO.


--
Jim Ohlstein
852dc51f145bb11af7be64b5ee3fbe88?d=identicon&s=25 nano (Guest)
on 2014-01-09 18:15
(Received via mailing list)
On 10/01/2014 2:21 AM, Jim Ohlstein wrote:
>> nginx from Apache, due to (my own shortcomings compounded by) terribly
> heavily loaded or if it is using PHP to serve static content, such as
> WordPress used to do up until version 3.4 and continues to do on some
> sites that were upgraded from older versions to the current version.
> Also, if you are running a PHP daemon and a MySQL server on the same
> server as you run nginx, they may contribute more to server load than
> does nginx. Optimizing them, especially MySQL, may give you significant
> "performance enhancement".

Thanks, Jim, for the suggestions. I may look into optimizing MySQL at a
later date.

>
That domain only hosts a personal blog documenting FreeBSD procedures,
and SOHO resource for colleagues, family and friends; in fact, the
server is still running Apache and is not relevant to my observations
pertaining to increased performance, or lack of, in transferring to
nginx on other sites. Further, I have no desire to satisfy your trust
concerns. My concern is to secure my own sensitive traffic. Moreover,
the paradigm of entrusting third parties is foolish and highly
susceptible to exploitation, but this, too, is irrelevant. Thank you for
your concern and advice; however, I will not be purchasing a
"PositiveSSL certificate".

> The shortcomings are yours indeed. The documentation is for people who
> understand the concepts and is not meant to be a replacement for a "for
> Dummies" book. I believe that (almost) every directive is covered. If
> you do not understand what the directives mean, there are many ways to
> figure it out. In such a case, Google is your friend.
>

I have no doubt, and iterated, my inadequacies affect my
(mis)understanding of the documentation. Similarly, I remarked on the
utility of alternative resources; found through Google. If you have some
"for Dummies" resources, please feel free to provide them. That would be
good.

> Comparing nginx documentation to FreeBSD documentation is a bit
> unrealistic. FreeBSD documentation is written by volunteers of which
> there are dozens if not hundreds. The entire project is a community
> effort. Despite that, some is out of date. For instance, look at
> http://www5.us.freebsd.org/doc/handbook/svn-mirrors.html. Do you see
> svn0.eu.FreeBSD.org listed there, or its fingerprint? There may be other
> servers missing as well. I have found many other examples but that's the
> first that comes to mind.
>

It is analogous, as is the comparison to Postfix documentation. I did
not claim FreeBSD literature is absent error, but that it is simply more
comprehensive and accommodates "Dummies". If nginx chooses to cater for
"for people who understand the concepts and is not meant to be a
replacement for a 'for Dummies' book", that is the prerogative of the
maintainers and developers of nginx documentation.

> Anyone who wants to *volunteer* to improve the documentation should do
> so. I'm sure the devs would at least look at any provided patches.
>
> Of course, you can always create a community effort of your own and
> organize your own wiki or alternate set of documentation. Or perhaps you
> can apply for a job at Nginx.com to work on upgrading the documentation
> to your standards.
>

I am certain there are people who value and appreciate the project
enough that will choose to contribute. When the values and objectives of
a project comport with my own, I often choose to contribute how I can;
such as, deploying Tor exit nodes, documenting up-to-date, basic
procedures, or making monetary donations to the FreeBSD Foundation. This
is a nice quality of open source communities. The good ones thrive, the
less valued do not.

> The original purpose of the wiki was to serve as English documentation
> when there was little to none.

I am sure that multimillion dollar donations will contribute to further
improvements.

> Sure, it had a bit more hand holding, but
> it really has become superfluous at least in terms of providing up to
> date documentation, at least IMMHO.
>
>

You are entitled to your opinion, as am I. Your advice will be
considered. Thank you, Jim.

--
syn.bsdbox.co
7e5b9e3ef674f859551ae0e283061b52?d=identicon&s=25 Jim Ohlstein (Guest)
on 2014-01-09 18:33
(Received via mailing list)
Hello,

On 1/9/14, 12:14 PM, nano wrote:
>>> as Postfix and FreeBSD. My inability to easily transfer my webservers to
>> You may not see much "performance enhancement" if your server was not
>> heavily loaded or if it is using PHP to serve static content, such as
>> WordPress used to do up until version 3.4 and continues to do on some
>> sites that were upgraded from older versions to the current version.
>> Also, if you are running a PHP daemon and a MySQL server on the same
>> server as you run nginx, they may contribute more to server load than
>> does nginx. Optimizing them, especially MySQL, may give you significant
>> "performance enhancement".
>
> Thanks, Jim, for the suggestions. I may look into optimizing MySQL at a
> later date.

Going to copy someone else's procedures and write another "tutorial"?

>> certificate.
> your concern and advice; however, I will not be purchasing a
> "PositiveSSL certificate".

Whatever. You put a link in your signature and *very* rudimentary (and
somewhat incorrect) "tutorials" in your blog.

In fact, on December 20, 2013 you wrote:

"I recently decided to build my first FreeBSD box. First order of
business: roll my own Apache server to host my ownCloud service. I also
decided to stand up this WordPress site to document my progress. Mostly
for posteritys sake; this way, I have tried-and-tested data to
reference during future UNIX operations. Why should I []"

Learn something about being a sysadmin before writing "tutorials".

Anyway, opinions are like assholes. Everybody has one. Yours just
happens to be wrong.

> utility of alternative resources; found through Google. If you have some
>> first that comes to mind.
>>
>
> It is analogous, as is the comparison to Postfix documentation. I did
> not claim FreeBSD literature is absent error, but that it is simply more
> comprehensive and accommodates "Dummies". If nginx chooses to cater for
> "for people who understand the concepts and is not meant to be a
> replacement for a 'for Dummies' book", that is the prerogative of the
> maintainers and developers of nginx documentation.

See above.

> I am certain there are people who value and appreciate the project
> I am sure that multimillion dollar donations will contribute to further
> improvements.

I'm not aware of any "multimillion dollar donations" but maybe you are.
Commercial funding is not a "donation".

>
>> Sure, it had a bit more hand holding, but
>> it really has become superfluous at least in terms of providing up to
>> date documentation, at least IMMHO.
>>
>>
>
> You are entitled to your opinion, as am I. Your advice will be
> considered. Thank you, Jim.

Again, see above.

>

Peace out.

--
Jim Ohlstein
852dc51f145bb11af7be64b5ee3fbe88?d=identicon&s=25 nano (Guest)
on 2014-01-09 18:47
(Received via mailing list)
On 10/01/2014 4:33 AM, Jim Ohlstein wrote:
>>>>
>>>> and will only see improvements when my own abilities allow it.
>>> server as you run nginx, they may contribute more to server load than
>>> does nginx. Optimizing them, especially MySQL, may give you significant
>>> "performance enhancement".
>>
>> Thanks, Jim, for the suggestions. I may look into optimizing MySQL at a
>> later date.
>
> Going to copy someone else's procedures and write another "tutorial"?
>

I will record the procedure that results in a successful mission. That
typically involves documenting steps taken from a variety of sources, as
finding one that works without requiring changes is not commonplace. If
you have any resources, please feel free to provide them.

>>> certificate.
>> your concern and advice; however, I will not be purchasing a
>> "PositiveSSL certificate".
>
> Whatever. You put a link in your signature and *very* rudimentary (and
> somewhat incorrect) "tutorials" in your blog.
>

Please, feel free to highlight what is incorrect, Jim. I would be happy
to make corrections.

> In fact, on December 20, 2013 you wrote:
>
> "I recently decided to build my first FreeBSD box. First order of
> business: roll my own Apache server to host my ownCloud service. I also
> decided to stand up this WordPress site to document my progress. Mostly
> for posteritys sake; this way, I have tried-and-tested data to
> reference during future UNIX operations. Why should I []"
>

As I said in the paragraph you quote above: "personal blog documenting
FreeBSD procedures." I find it useful to record my progress. If it helps
somebody else, that is good.

> Learn something about being a sysadmin before writing "tutorials".
>

I hope to continue learning. Please, feel free to contribute in any way
you like.

> Anyway, opinions are like assholes. Everybody has one. Yours just
> happens to be wrong.
>

If that is your opinion. Good for you. Like you say, "everybody has
one."

>> utility of alternative resources; found through Google. If you have some
>>> first that comes to mind.
>
>> I am certain there are people who value and appreciate the project
>> I am sure that multimillion dollar donations will contribute to further
>> improvements.
>
> I'm not aware of any "multimillion dollar donations" but maybe you are.
> Commercial funding is not a "donation".
>

Then, that multimillion dollar funding will surely help.

> Again, see above.
>
>>
>
> Peace out.
>

Likewise.

--
syn.bsdbox.co
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.