Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alex2018-12-10 04:47:26
Nginx
Alex, 2018-12-10 04:47:26

How to initialize variable when adding Content Security Policy to Nginx configs?

Good afternoon!
After adding the Content Security Policy rules to the Nginx config, errors began to appear in the log file:

2018/12/09 22:55:05 [warn] 500#500: *18 using uninitialized "csp" variable while reading response header from upstream, client: xxx.xx.xx.xxx, server: site.ru, request: "GET /page/2/ HTTP/2.0", upstream: "fastcgi://unix:/var/www/php-fpm/xxxxxxxx.sock:", host: "site.ru", referrer: "https://site.ru/"
2018/12/09 22:55:15 [warn] 500#500: *60 using uninitialized "csp" variable while reading response header from upstream, client: xxx.xx.xx.xxx, server: site.ru, request: "GET /page/2/ HTTP/2.0", upstream: "fastcgi://unix:/var/www/php-fpm/xxxxxxxx.sock:", host: "site.ru", referrer: "https://site.ru/"

Code for adding Content-Security-Policy to /etc/nginx/vhosts-resources/site.ru/general.conf config:
set $CSP_image  "img-src      'self' 'unsafe-inline' 'unsafe-eval' data: *.printfriendly.com *.w.org *.gravatar.com *.vimeocdn.com; ";
set $CSP_script "script-src   'self' 'unsafe-inline' 'unsafe-eval' *.w.org *.gravatar.com *.googleapis.com *.jsdelivr.net *.printfriendly.com *.kxcdn.com *.vimeocdn.com *.hs-analytics.net *.securitymetrics.com *.google-analytics.com; ";
set $CSP_style  "style-src    'self' 'unsafe-inline' *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.vimeocdn.com; ";
set $CSP_font   "font-src     'self' data: *.googleapis.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com; ";
set $CSP_frame  "frame-src    'self' *.vimeocdn.com *.vimeo.com; ";
set $CSP_object "object-src   'self' ; ";
set $CSP        "default-src  'self' ; ${CSP_image} ${CSP_script} ${CSP_style} ${CSP_font} ${CSP_frame} ${CSP_object}";
add_header Content-Security-Policy $CSP;

Why does Nginx consider the $CSP variable to be uninitialized and how to initialize it?
PS Just discovered that the Content Security Policy is given only on the main page, on other pages - no.
PPS Everything, the question is removed - the order of the rules ...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
E
EVOSandru62020-06-23 02:42:49
How to cache only design assets in Laravel using nginx? 1Reply
S
StopDesign2013-06-27 21:12:28
Lots of identical POST requests to **/edit? 3Reply
S
Sergey Pozdnyakov2020-06-24 11:06:17
Why doesn't client_max_body_size work in location? 2Reply
F
First Name2018-06-20 08:58:56
How to set up a redirect from www to without www? 1Reply
S
Sergey2018-06-21 23:00:02
How to migrate .htaccess rules to Nginx? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question