Add support for SSI in error pages

daniel-ac-martin · web-flow · commit 9923d431b420 · 2016-09-27T17:57:41.000+01:00
Adds support for Server Side Includes in the error pages. This will
allow consumers to create more advanced error pages, including a
GovUK-branded one for our own purposes.

Replaces the /50x.html location with a more flexible /nginx-proxy/
location, allowing a variety of error pages to be supported and
allowing consumers to add whatever extra static assets they wish.

* Adds a blank error page for NAXSI rejected requests
* Adds support for accessing NAXSI's debug headers

**Note:** This is a breaking change.
diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ ADD ./go.sh /
 ADD ./enable_location.sh /
 ADD ./location_template.conf /
 ADD ./logging.conf /usr/local/openresty/nginx/conf/
+ADD ./html/ /usr/local/openresty/nginx/html/
 ADD ./readyness.sh /
 ADD ./helper.sh /
 ADD ./refresh_GeoIP.sh /
diff --git a/ci-build.sh b/ci-build.sh
@@ -108,7 +108,7 @@ start_test "Test GEODB settings can reject..." "${STD_CMD} \
            -e \"ENABLE_UUID_PARAM=FALSE\" \
            -e \"ALLOW_COUNTRY_CSV=CG\" \
            -e \"DENY_COUNTRY_ON=TRUE\" \
-           -e \"ADD_NGINX_LOCATION_CFG=error_page 403 /50x.html;\" \
+           -e \"ADD_NGINX_LOCATION_CFG=error_page 403 /nginx-proxy/50x.shtml;\" \
            --link mockserver:mockserver "
 echo "Test GeoIP config IS rejected..."
 if ! curl -v -k https://${DOCKER_HOST_NAME}:${PORT}/ 2>&1 \
diff --git a/enable_location.sh b/enable_location.sh
@@ -183,7 +183,7 @@ location ${LOCATION} {
     ${BASIC_AUTH_CONFIG}
     ${DENY_COUNTRY}
 
-    error_page ${ERROR_REDIRECT_CODES} /50x.html;
+    error_page ${ERROR_REDIRECT_CODES} /nginx-proxy/50x.shtml;
 
     set \$proxy_address "${PROXY_SERVICE_HOST}:${PROXY_SERVICE_PORT}";
 
diff --git a/go.sh b/go.sh
@@ -44,6 +44,8 @@ else
 		listen ${HTTP_LISTEN_PORT} ;
 		listen ${HTTPS_LISTEN_PORT} ssl;
 		set \$real_client_ip_if_set '';
+		set \$http_listen_port '${HTTP_LISTEN_PORT}';
+		set \$https_listen_port '${HTTPS_LISTEN_PORT}';
 	EOF-LISTEN
 fi
 
diff --git a/html/404.shtml b/html/404.shtml
@@ -0,0 +1,7 @@
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx</center>
+</body>
+</html>
diff --git a/html/418-request-denied.shtml b/html/418-request-denied.shtml
diff --git a/html/50x.shtml b/html/50x.shtml
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Error</title>
+<style>
+    body {
+        width: 35em;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>An error occurred</h1>
+<p>Sorry, the page you are looking for is currently unavailable.<br/>
+Please try again later.</p>
+<p>If you are the system administrator of this resource then you should check
+the <a href="http://nginx.org/r/error_log">error log</a> for details.</p>
+<p><em>Faithfully yours, nginx.</em></p>
+</body>
+</html>
diff --git a/nginx.conf b/nginx.conf
@@ -79,6 +79,9 @@ http {
     include /usr/local/openresty/nginx/conf/upload_size*.conf;
     include /usr/local/openresty/nginx/conf/nginx_http_extras*.conf;
 
+  # Accept underscores in headers as NAXSI does this
+  underscores_in_headers on;
+
   server {
     include /usr/local/openresty/nginx/conf/nginx_statsd_metrics.conf;
     include /usr/local/openresty/nginx/conf/response_body.conf;
@@ -112,10 +115,11 @@ http {
         # Generate a unique ID for use in logs for passing onto applications
         set_by_lua_file $uuidopt /usr/local/openresty/nginx/lua/set_uuid.lua;
 
-        location /50x.html {
-            root /usr/local/openresty/nginx/html;
+        location /nginx-proxy/ {
+            alias /usr/local/openresty/nginx/html/;
+            ssi on;
+            error_page 404 /nginx-proxy/404.shtml;
             allow all;
-            internal;
         }
 
         location /nginx_status {
@@ -127,6 +131,15 @@ http {
         }
 
         location /RequestDenied {
+            # Proxy to ourselves in order to access NAXSI debugging headers
+            proxy_pass https://127.0.0.1:$https_listen_port/nginx-proxy/RequestDenied;
+            internal;
+        }
+
+        location /nginx-proxy/RequestDenied {
+            # Debug information now available in headers ($http_x_naxsi_sig etc.)
+            # Return a 418 (Teapot) status
+            error_page 418 /nginx-proxy/418-request-denied.shtml;
             return 418;
         }
 
