How to split the nginx config across multiple lines?

Question

Especially when configuring HPKP header (or other long headers in general) it would be useful to split a line in an nginx config over multiple lines.

This is the desired result:

pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=";
pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; 
pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; 
pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg="; 
pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo="; 
pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g=";

However for the browser it should only be one line:

pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg="; pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo="; pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g=";

So I've tried some things, but I'm not satisfied with the results...

First try: Just split it

add_header Public-Key-Pins '
pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=";
pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=";
pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=";
pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg=";
pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo=";
pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g=";
'

This works, but with curl I can see that the browsers receives the header with all line breaks...

Second try: Backslash

Actually in the already linked article Scott Helme recommends this:

add_header Public-Key-Pins ' \
pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; \
pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; \
pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; \
pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg="; \
pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo="; \
pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g="; \
'

However in my case this just added the slashes and also returned them to the browser, so this does not work.

So how can I do this?

Bonus

Of course comments for every line would be an awesome addition:

pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg="; # current ECDSA
pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="; # current RSA (nginx 1.11.0)
pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg="; # backup ECDSA 1
pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg="; # backup ECDSA 2
pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo="; # backup RSA 1
pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g="; # backup RSA 2

What? How can I do that? But besides of that I rather want a solution for this in the nginx config file directly. I mean it is not such an extraordinary request to be able to use multiple lines for a config directive... at least this is what I though. — rugk, Jun 01 '16 at 18:22
This still could be in your config file. It's just a question if your nginx is compiled with one of these modules enabled. — Alexey Ten, Jun 01 '16 at 18:25
Currently it is not compiled with these modules (unless they are in the default set of modules compiled by nginx), but I could certainly compile a version with such a module... If it helps to solve this "problem". — rugk, Jun 01 '16 at 18:29

score 19 · Accepted Answer · edited Sep 13 '17 at 15:48

19

You might need to consider variable nesting that will look something like this:

set $PKP '';
set $PKP '${PKP}pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=";'; # current ECDSA
set $PKP '${PKP}pin-sha256="MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=";'; # current RSA (nginx 1.11.0)
set $PKP '${PKP}pin-sha256="isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=";';  # Backup ECDSA 1
set $PKP '${PKP}pin-sha256="I/bAACUzdYEFNw2ZKRaypOyYvvOtqBzg21g9a5WVClg=";';  # Backup ECDSA 2
set $PKP '${PKP}pin-sha256="Y4/Gxyck5JLLnC/zWHtSHfNljuMbOJi6dRQuRJTgYdo=";'; # backup RSA 1
set $PKP '${PKP}pin-sha256="/oCVQg3nP3DroGpFdAbaiYzenycUftqrH3LAyaIal2g=";';  # Backup RSA 2

add_header Public-Key-Pins $PKP;

edited Sep 13 '17 at 15:48

Community

1

answered Jun 06 '17 at 14:03

BlackHOST

316
2
7

That's indeed a good idea and it works. It is more of a workaround, but it's certainly a way to do it. – rugk Jun 06 '17 at 18:37
when I put it into server {} I got: nginx: [emerg] unexpected "s" – Atombit Jun 20 '19 at 13:02
I get `nginx: [emerg] "set" directive is not allowed here in /etc/nginx/conf.d/myfile.conf:42` when I try this – run_the_race Oct 08 '21 at 09:09

score -1 · Answer 2 · answered Dec 07 '16 at 00:50

-1

the ; is the separator

so you can put things on multiple lines, just end the last line only with the ;

answered Dec 07 '16 at 00:50

MrE

418
1
6
14

That's what I tried in `First try: Just split it` if I understand it correctly. The issue there was that the client received the header with all line breaks. – rugk Dec 09 '16 at 20:38
then your only hope is put everything on one line. let your editor wrap if that bothers you – MrE Dec 09 '16 at 23:47

How to split the nginx config across multiple lines?

First try: Just split it

Second try: Backslash

Bonus

2 Answers2