Nginx
1 前言
一个问题,一篇文章,一出故事。
笔者最近代理公司应用,发现https的页面有请求不安全的http也被Blocked的问题,浏览器调试详细显示如下,
Mixed Content: The page at 'https://appname.cmdschool.org/main.jsp' was loaded over HTTPS, but requested an insecure frame 'http://appname.cmdschool.org:443/appname/portal/equiplist/dtHistQueryGuiFet.action'. This request has been blocked; the content must be served over HTTPS.
和同事研究发现可以通过修改页面头解决此问题。
2 最佳实践
2.1 创建反向代理配置文件
vim /etc/nginx/conf.d/appname.cmdschool.org_443.conf
加入如下配置,
location / { #... proxy_hide_header Content-Security-Policy; add_header Content-Security-Policy Upgrade-Insecure-Requests always; }
另外,直接在HTML页面中增加如下代码也可以解决此问题,
<head> <meta http-equiv="Content-Security-Policy" content="Upgrade-Insecure-Requests"> </head>
2.2 重载服务使配置生效
systemctl reload nginx.service systemctl status nginx.service
参阅文档
=================
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
没有评论