rocket-nginx: Pre-Set nginx Headers are ignored/unset for cached pages

Describe the bug Well described here: https://www.peterbe.com/plog/be-very-careful-with-your-add_header-in-nginx

If you add any global nginx headers with add_header they are discarded by

# Add header to HTML cached files
location ~ /wp-content/cache/wp-rocket/.*html$ {
        etag on;
        add_header Vary "Accept-Encoding, Cookie";
        ....
}

# Do not gzip cached files that are already gzipped
location ~ /wp-content/cache/wp-rocket/.*_gzip$ {
        etag on;
        gzip off;
        types {}
        default_type text/html;
        add_header Content-Encoding gzip;
        ....
}

Versions What version of Nginx are you using ? 1.16.1

What version of Rocket-Nginx are you using ? origin/master (2.1.1)

What version of WP Rocket are you using ? 3.3.7

Are you using Nginx as a reverse proxy (with Apache for instance) ? No

To Reproduce Steps to reproduce the behaviour: Add any header to you vhost config before you add include /etc/nginx/rocket-nginx/default.conf; like:

server {
        ....
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        include /etc/nginx/rocket-nginx/default.conf;
       ....
}

  1. Call a page that is not cached: You will see the headers from the server block + the rocket-nginx headers that are NOT in the location block.

  2. Call a cached page and you will see that they are missing.

Did you activate the debug in Rocket-Nginx ? Please do and include any headers. not necessary

Expected behavior The previously set global headers should remain set for cached pages. Thus no add_header must be called within rocket-nginx location blocks for cached pages. Outside of the location blocks should work fine.

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15

Most upvoted comments

Fixed in version 3.0. You can now add files to include with your desired headers.

+1
maximejobin on Dec 12, 2021

Hey @maximejobin thanks for your open mind on this 😃 Let me collect some of the open issues and make it a V3. I already scanned them and some of them should be easy to address right away. Especially the clean-up and naming things.

The caching time should be a variable of course. That make sense. If you come up with some headers that should be distinguished between GZIP / non-GZIP let’s think it through when we pass that bridge. In the last 7 years we used nginx, I never had the need to handle any functional headers specific for gzip / non-gzip.

So I would extend this PR and target a v3.0 branch for the start.

+1
JanThiel on Oct 28, 2019

This is because of the way Nginx is made. That is why I have created header configurations.

You have to manually add them in the rocket-nginx.ini file like this:

http_header[X-XSS-Protection] = "1; mode=block"
http_header[X-Content-Type-Options] = "nosniff"

css_header[X-XSS-Protection] = "1; mode=block"
css_header[X-Content-Type-Options] = "nosniff"

js_header[X-XSS-Protection] = "1; mode=block"
js_header[X-Content-Type-Options] = "nosniff"

medias_header[X-XSS-Protection] = "1; mode=block"
medias_header[X-Content-Type-Options] = "nosniff"
+1
maximejobin on Sep 11, 2019
Read more comments on GitHub
← action-docker-layer-caching: "Root cache could not be found. aborting." and "Error: The process '/usr/bin/docker' failed with exit code 1"
spotify-dl: Could not perform scrape search for [song name], got a different HTML →