In Previous Guide We Have Talked How To Add IPv6 to IPv4 Server With Nginx Reverse Proxy To Have IPv6 on IPv4 Only Hosts. In this Guide We Will Show the Nginx IPv6 Reverse Proxy Configuration For HSTS Website. Which is Slightly Different than Normal HTTPS Website. Improperly Configured Proxy Will Break HSTS Header By Repeating the Sequence. It is not only HSTS, but also HPKP and Alternate Protocol headers which gets affected.
Advertisement ---
Nginx IPv6 Reverse Proxy Configuration For HSTS : Method 1
This is an example of header which we normally use for Nginx IPv6 reverse proxy :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | server { listen [::]:443 ssl http2; server_name thecustomizewindows.com; ... # ssl directives here ... add_header Alternate-Protocol 443:npn-spdy/3; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Public-Key-Pins 'pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; report-uri="https://abhishekghosh.report-uri.io/r/default/csp/enforce"; max-age=5184000; includeSubDomains'; location / { proxy_pass https://thecustomizewindows.com:443; # live webiste on IPV4 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } |
On online tools like SSL Labs Dev website, you’ll get the header response printed. First method is to add proxy_hide_header directive under location directive to prevent HSTS getting duplicated :
1 2 3 4 5 6 7 8 9 10 11 12 | ... location / { proxy_pass https://thecustomizewindows.com:443; proxy_hide_header Strict-Transport-Security; proxy_hide_header Public-Key-Pins; proxy_hide_header Alternate-Protocol; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } ... |
However, this method is not preferred by us.
Nginx IPv6 Reverse Proxy Configuration For HSTS : Method 2
Basically if we omit the add_header Strict-Transport-Security like directives on reverse proxy server, second (read main IPv4 server) automatically will pass the HSTS header. Simply comment out them :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | server { listen [::]:443 ssl http2; server_name thecustomizewindows.com; ... # ssl directives here ... #add_header Alternate-Protocol 443:npn-spdy/3; #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; #add_header Public-Key-Pins 'pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; report-uri="https://abhishekghosh.report-uri.io/r/default/csp/enforce"; max-age=5184000; includeSubDomains'; location / { proxy_pass https://thecustomizewindows.com:443; # live webiste on IPV4 proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } |
Now formally run config test and restart Nginx. Check SSL Grading on SSL Labs Tool. You can see our result here :
1 | https://www.ssllabs.com/ssltest/analyze.html?d=thecustomizewindows.com |
When your domain is HTTPS everywhere atlas listed, for wrong HSTS configuration, many things can go wrong, not only the grading by SSL Labs.
