• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here:Home » Nginx IPv6 Reverse Proxy Configuration For HSTS Website

By Abhishek Ghosh November 22, 2016 8:53 am Updated on November 22, 2016

Nginx IPv6 Reverse Proxy Configuration For HSTS Website

Advertisement

In Previous Guide We Have Talked How To Add IPv6 to IPv4 Server With Nginx Reverse Proxy To Have IPv6 on IPv4 Only Hosts. In this Guide We Will Show the Nginx IPv6 Reverse Proxy Configuration For HSTS Website. Which is Slightly Different than Normal HTTPS Website. Improperly Configured Proxy Will Break HSTS Header By Repeating the Sequence. It is not only HSTS, but also HPKP and Alternate Protocol headers which gets affected.

nginx-ipv6-reverse-proxy-configuration-for-hsts-website

 

Nginx IPv6 Reverse Proxy Configuration For HSTS : Method 1

 

This is an example of header which we normally use for Nginx IPv6 reverse proxy :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
server {
       listen [::]:443 ssl http2;
       server_name thecustomizewindows.com;
...
# ssl directives here
...
       add_header Alternate-Protocol  443:npn-spdy/3;
       add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
       add_header Public-Key-Pins 'pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; report-uri="https://abhishekghosh.report-uri.io/r/default/csp/enforce"; max-age=5184000; includeSubDomains';
        location / {
                proxy_pass         https://thecustomizewindows.com:443; # live webiste on IPV4
                proxy_redirect     off;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
       }
}

On online tools like SSL Labs Dev website, you’ll get the header response printed. First method is to add proxy_hide_header directive under location directive to prevent HSTS getting duplicated :

Advertisement

---

Vim
1
2
3
4
5
6
7
8
9
10
11
12
...
        location / {
                proxy_pass         https://thecustomizewindows.com:443;
                proxy_hide_header Strict-Transport-Security;
                proxy_hide_header Public-Key-Pins;
                proxy_hide_header Alternate-Protocol;
                proxy_redirect     off;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
       }
...

However, this method is not preferred by us.

 

Nginx IPv6 Reverse Proxy Configuration For HSTS : Method 2

 

Basically if we omit the add_header Strict-Transport-Security like directives on reverse proxy server, second (read main IPv4 server) automatically will pass the HSTS header. Simply comment out them :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
server {
       listen [::]:443 ssl http2;
       server_name thecustomizewindows.com;
...
# ssl directives here
...
       #add_header Alternate-Protocol  443:npn-spdy/3;
       #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
       #add_header Public-Key-Pins 'pin-sha256="snqzW9Bwdb/++vjcA36+kbP/qaVMmnB9ckuI3qAkihQ="; pin-sha256="BJKSF/6L2QXz4xK6MVj2RTiyPlFzQx3NcpuxnuqdABk="; report-uri="https://abhishekghosh.report-uri.io/r/default/csp/enforce"; max-age=5184000; includeSubDomains';
        location / {
                proxy_pass         https://thecustomizewindows.com:443; # live webiste on IPV4
                proxy_redirect     off;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
       }
}

Now formally run config test and restart Nginx. Check SSL Grading on SSL Labs Tool. You can see our result here :

Vim
1
https://www.ssllabs.com/ssltest/analyze.html?d=thecustomizewindows.com

When your domain is HTTPS everywhere atlas listed, for wrong HSTS configuration, many things can go wrong, not only the grading by SSL Labs.

Tagged With hsts nginx ipv6 , hsts revcerse proxy , IPv6 hits proxy , nginx ipv6 x-real-ip , nginx proxy No HSTS header is present on the response , nginx reverse proxy configuration
Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Nginx IPv6 Reverse Proxy Configuration For HSTS Website

  • Nginx WordPress Configuration Sample File

    Here is Ready to Use Nginx Wordpress Configuration Sample File Which Can Used With Either Community Edition of Nginx or Nginx Plus & PHP5-FPM.

  • How To Add IPv6 to IPv4 Server With Nginx Reverse Proxy

    Some Dedicated Server May Not Have IPv6. Here is How To Add IPv6 to IPv4 Server With Nginx Reverse Proxy and Cloud Server Instance With IPv6.

  • Nginx IPV6 Reverse Proxy With SSL To Add IPV6 (Full Guide + Configs)

    We Discussed Full Guide On Nginx IPV6 Reverse Proxy With SSL To Add IPV6 To IPV4 Only Servers. Here Is Every Basics And Full Configuration.

  • Reverse Proxying with Nginx : Basics

    Reverse Proxying with Nginx by Simple Editing of the File /etc/nginx/conf.d/default.conf. Reverse proxies can hide the existence and characteristics of an origin server.

performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • PowerAmp Settings for Higher Sound QualityOctober 4, 2023
  • Affordable Earphone/IEM for Audiophiles: HiFiMan RE-400 WaterlineOctober 2, 2023
  • What is Hardware Security Module (HSM)September 30, 2023
  • Transducer Technologies of HeadphonesSeptember 28, 2023
  • What is Analog-to-Digital Converter (ADC)September 27, 2023
PC users can consult Corrine Chorney for Security.

Want to know more about us?

Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy