http headers vanish when proxying http errors through nginx

Question

I'm using nginx as TLS terminator in front of an Apache 2.4 server.

I'm using add_header X-Content-Type-Options nosniff; in nginx to add this header to every response.

If the HTTP status code returned by Apache is below 400 the header is correctly set, but if the status is greater or equal 400 the header is omitted.

Same for the gzip module. If the status code is below 500, the gzip module automatically compresses the response body. But if the HTTP status code geturned by Apache is greater or equal 500 the gzip module just does nothing.

Some relevant parts of my nginx config:

proxy_intercept_errors    off;
proxy_ignore_client_abort off;
proxy_http_version        1.1;
proxy_hide_header         X-Powered-By;
proxy_set_header          Connection  "";     #for keepalive to backend
add_header X-Content-Type-Options nosniff;
gzip
gzip on;
gzip_min_length 20;     #default: 20
gzip_comp_level 9;
gzip_proxied any;
gzip_vary on;
gzip_types *;
gunzip on;

Is there anything I can do to deactivate this behaviour and add my header to HTTP error responses and even gzip HTTP 500 responses?

score 6 · Accepted Answer · answered Aug 05 '17 at 21:48

Today I stumbled upon the solution in an ssl labs thread over here: https://community.qualys.com/thread/17333-hsts-header-not-being-set-by-nginx-on-error

Basically you have to add the always keyword in the add_header config option. Quoting the nginx docs (http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header):

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

This helps and now every response (including the errors) have all headers set as expected.

http headers vanish when proxying http errors through nginx

gzip

1 Answers1