How to do proxy in this case

Francis Daly francis at
Wed Jun 7 06:17:29 UTC 2017

On Tue, Jun 06, 2017 at 09:13:55AM -0400, David Woodstuck wrote:

Hi there,

> I have one proxy server(nginx) - such as and three upstream
> servers -, for my one
> application. Contents from upstream servers have a lot of iframes which
> have different domains. I want to allow XSS for these different domains. I
> don't know how to achieve XSS for this application.

If these different domains are all under your control; and if you
want them to always work together as a single application; then if you
configure things such that the three upstream servers have their content
at different places in the url hierarchy, you can use nginx to simply
reverse-proxy for all three.

The browser will only ever talk to nginx using the server name, so there is no XSS involved since there is only one S,
and therefore no X.

> For instance, when contents from has two iframes that their
> src are and, can I do the
> following to achieve XSS?

If you control things, I suggest it would be simpler to have all of the content below /content1; all of the
content below content2; and all of the content below

Then your iframes would not include the server name part, just the
local part -- so your iframes would refer to /content1/ and /content2/
in this case.

Your nginx conf would include fragments like

  location ^~ /content1/ { proxy_pass; }
  location ^~ /content2/ { proxy_pass; }
  location ^~ /content3/ { proxy_pass; }

> (1). replace with
>       replace with
>       add_header for XSS

You would not need to do that in the scheme above, since "name1" and
"name2" should never exist in the content.

> (2). When request is coming, proxy to

That part you would do, with the config shown.

>       add_header for XSS

That part you do not need, since there is no XSS.

> (3). When request is coming, proxy to
>       add_header for XSS

Same as (2).

> I only have limited knowledge of Nignx. I like to use NginxScript to
> achieve this goal. Can I do it in Nginx. I do appreciate your suggestion
> and some examples.

I would suggest avoiding the need for any kind of content rewriting,
and just keeping the nginx side very simple. Get the overall system
config the way you want it, and it should Just Work.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list