[Solved] Creating a dynamic response header. Possible?
Added by jens-maus almost 5 years ago
Hi,
I haven't found anything related in here or the documentation, so I do hope someone has some clue how to achieve the following or state if this is not possible at all.
What I am currently trying to achieve is to create a dynamic "Content-Security-Policy" reponse header in the lighttpd configuration. Currently I do have the following setenv statement in the lighttpd config:
setenv.add-response-header = (
"Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.XXX.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://*:8088"
}
Please note the last "http://*:8088/" bit. This I want to replace with using the local ip address instead of the full wildcard (*) using something like:
setenv.add-response-header = (
"Content-Security-Policy" => "default-src 'self';frame-ancestors 'self';script-src 'unsafe-inline' 'unsafe-eval' 'self' *.XXX.com https://gitcdn.xyz ;style-src 'unsafe-inline' 'self';img-src 'self' data: ;connect-src 'self' http://" + HTTP["localip"] + ":8088"
}
But as soon as I add this HTTP["localip"] or another else using "+" to the Content-Security-Policy string lighttpd returns an invalid config error.
So what I would like to achieve is to actually be able to add something dynamically to the Content-Security-Policy string by using the "+" concatenation. But for some reason this doesn't seem to work here. Is this supported at all in the given context or how do I have to do the above?
Any help would be highly appreciated.
Replies (3)
RE: Creating a dynamic response header. Possible? - Added by gstrauss almost 5 years ago
Is this supported at all in the given context or how do I have to do the above?
No, the config file does not support that. Where did you find any reference to $HTTP["localip"] in lighttpd? You can't invent things and then assume it will work. That is unreasonable. It also means that you probably did not try to read the lighttpd documentation. This is lighttpd. You might desire to take syntax from another web server and apply it here, but if you have not looked in the documentation, you are wasting your time and ours. Please don't do that.
mod_magnet can be used to execute dynamic code to evaluate and set headers, among other things. However, mod_magnet does not expose the local IP to lua, as the listen address could be a wildcard address, and lighttpd does not provide an interface to lua to get the connection fd and call getsockname(). See Absoluation for some examples using lua code, but not specifically what you are trying to do. If you are planning to configure lighttpd to listen on specific IP addresses, then you can use mod_setenv to set a request header to that IP address in each $SERVER["socket"] block, and then you can use mod_magnet to dynamically construct the response header.
RE: [Solved] Creating a dynamic response header. Possible? - Added by jens-maus almost 5 years ago
Sorry for the confusion with the unknown "HTTP["localip"]" variable. This was just meant to bear an example and I didn't mean that this variable actually has to exist. In fact, what I actually wanted to know is if it is possible at all to use the "+" operator on the add-response-header definitions like the following example:
setenv.add-response-header = (
"Content-Security-Policy" => "default-src 'self' http://" + server.name + ":8088"
}
So in this specific shouldn't "server.name" work? At least looking the documentation shows that "+" could be use to construct dynamic strings in the configuration (see https://redmine.lighttpd.net/projects/1/wiki/Docs_Configuration). However, my own tests currently show that this doesn't seem to be possible ATM. Or did I miss something again?
RE: [Solved] Creating a dynamic response header. Possible? - Added by gstrauss almost 5 years ago
Or did I miss something again?
Your pattern matching is a bit lacking. Did you see any example which uses $HTTP[...] with '+'?
The lighttpd configuration file is evaluated once when the server is started. The '+' are resolved from variables at startup.
I suggest you script up something to generate the lighttpd.conf, since there are many scripting languages, and lighttpd.conf does not endeavor to be its own full-fledged scripting language because lighttpd is a web server and not a scripting language.