CODEWITHSUNDEEP
nginxiframeserverframesx-frame-options
AKS
AKS

Reputation: 17306

Nginx - X-Frame-Options errors while using ALLOW-FROM URI: unknown directive / invalid number of arguments in "add_header" directive

OS: Ubuntu 14.04

Nginx: nginx version: nginx/1.4.6 (Ubuntu)

For providing Clickjacking based security in the browser side for frames, X-Frame-Options header options can be set in 3 different ways.

PS: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (for compatibility matrix) and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options (Note: Don't mix Apache with Nginx for configuration part).

I want to enable display of frames / iframes (generated/provided by Log parser plugin) on my Jenkins machine i.e. on Jenkins job's dashboard. For more info you can see some background here: Jenkins Log parser plugin - parsed console log page is not showing Load denied by X-Frame-Options does not permit framing ERR_BLOCKED_BY_RESPONSE

For that, I need to make sure, the following lines is NOT present in my NGINX configuration for jenkins https conf file / or you can commment it out.

add_header X-Frame-Options DENY;

Comment this line and the frames will render fine now in your browser i.e. on job's dashboard but doing this will bring security issues.

To implement the second option is to make sure, you remove/replace the above line OR make sure the following line EXIST in your NGINX config file for Jenkins https conf.

add_header X-Frame-Options SAMEORIGIN;

Now, the 3rd approach takes the word ALLOW-FROM https://_URI_value with / without double quotes starting before ALLOW-FROM and ending after the URL part.

This will tell NGINX to allow rendering of frames where the are coming from the given URI (JENKINS URL in my case), so I tried the following:

   #ALLOW-FROM https://my.company.jenkins.com/
   #add_header X-Frame-Options ALLOW-FROM https://my.company.jenkins.com/
   #add_header X-Frame-Options "ALLOW-FROM https://my.company.jenkins.com/"

If I enable just the first line (as listed above for the 3rd approach) and run sudo service nginx restart; sleep 1; tail -1 /var/log/nginx/error.log, then I'm getting the following output / error.

 * Restarting nginx nginx                                                                                                                               [fail]
2017/08/24 15:27:39 [emerg] 127120#0: unknown directive "ALLOW-FROM" in /etc/nginx/sites-enabled/jenkins_https.conf:23

If I enable either just the 2nd or 3rd line (as listed above for the 3rd approach), then I'm getting the following output / error for both 2nd/3rd lines.

 * Restarting nginx nginx                                                                                                                               [fail]
2017/08/24 15:29:49 [emerg] 127189#0: invalid number of arguments in "add_header" directive in /etc/nginx/sites-enabled/jenkins_https.conf:23

How can I successfully, use the ALLOW-FROM syntax within nginx config file while the restart succeeds without the above failures and it allow frames/iframes rendering coming from a given URI/URL?

PS: Using add_header X-Frame-Options SAMEORIGIN;, my issue is resolved but I'm mainly looking for why ALLOW-FROM <URI/URL> syntax is not working and giving me the above error messages.

Upvotes: 3

Views: 12754

Answers (2)

Daniel Vukasovich
Daniel Vukasovich

Reputation: 1742

The syntax accepted above doesn't work.

The expected syntax is 

add_header X-Frame-Options "allow-from https://my.example.com/";

Tested successfully on versions nginx/1.11.9 and nginx/1.15.9

Upvotes: 7

BobHy
BobHy

Reputation: 1734

You've probably already figured this out, but just for posterity: to specify allow-from in add_header, use this syntax:

add_header "allow-from https://my.example.com/";

Upvotes: 0

Related Questions