only add Content-Type header when respnose body is present #82
Conversation
…nse body is present
… 0 in HTTPS server block
|
|
||
| # Don't add a `Content-Type` header if the response length is 0, | ||
| # e.g. 204/304 status codes | ||
| if ( $upstream_response_length != 0 ) { |
There was a problem hiding this comment.
this is making me think of all the if is evil posts about nginx. I think using a map is safer here (but I'm still pondering how exactly to write it)
There was a problem hiding this comment.
Yeah, I couldn't find the original "if is evil" post for context. All I found was people saying not to use if in location blocks
There was a problem hiding this comment.
yeah, the not in location blocks thing is what I mostly found while digging. I think this is the original "If is evil" post: https://github.com/nginxinc/nginx-wiki/blob/master/source/start/topics/depth/ifisevil.rst
(but note that we are in a location block)
There was a problem hiding this comment.
Here's the original post: https://web.archive.org/web/20150924145945/https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
It seems like it is saying not to use if inside a location block, but we're using it inside a server block.
All that being said, if there's a safer way to do it, I'm all for it. It seems like the only way to do it would probably be some kind of Lua block, but that felt beyond me
There was a problem hiding this comment.
@bengerman13 What do you think about 099ce01 ?
Inspired by:
https://stackoverflow.com/questions/33660493/nginx-lua-set-proxy-headers
https://www.reddit.com/r/nginx/comments/4clta3/using_lua_to_set_headers/
I could also use this to set the headers: https://github.com/openresty/headers-more-nginx-module?tab=readme-ov-file#more_clear_headers, which even allows you to specifically enumerate the response codes for which the header should be added. But it seems to me like we would rather enumerate response codes where the header should not be added. And basing the condition on the response length is probably a better way regardless.
Changes Proposed
Related to #81
The discussion in #81 highlights a potential bug in this proxy: it always adds a default
Content-Typeheader to the response, even in cases like HTTP 204/304 responses which have no response body and thus for which aContent-Typeheader is inappropriate.This PR updates the Nginx configuration to only set a default
Content-Typeheader when the response body length is not 0, which should prevent undesirable behavior on 204/304 responses.Security Considerations
It seems like adding a
Content-Typeheader was done to resolve a POAM: cloud-gov/product#540At the same time, it seems like the
Content-Typeheader itself may have been an afterthought: #6But for responses where the response body length is 0, I don't see how adding a
Content-Typeheader is ever appropriate.