From: Aline Manera <alinefm(a)br.ibm.com>
Improve kimchi security by redirecting all HTTP requests to HTTPS that
way we make sure all information will be send in a secure way to and
from the server.
Also add Strict-Transport-Security header to avoid SSL stripping
(
https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping)
Signed-off-by: Aline Manera <alinefm(a)br.ibm.com>
---
src/nginx.conf.in | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/nginx.conf.in b/src/nginx.conf.in
index 967b46b..9218032 100644
--- a/src/nginx.conf.in
+++ b/src/nginx.conf.in
@@ -17,7 +17,6 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
-
# This is a template file to be used to generate a nginx
# proxy config file at kimchid script.
@@ -30,7 +29,6 @@ events {
worker_connections 1024;
}
-
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request"
'
@@ -38,18 +36,26 @@ http {
'"$http_user_agent"
"$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
-
- sendfile on;
+ sendfile on;
server {
- listen $proxy_port;
listen $proxy_ssl_port ssl;
+
ssl_certificate $cert_pem;
ssl_certificate_key $cert_key;
+ add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
+
location / {
proxy_pass
http://localhost:$kimchid_port;
proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
+
+ server {
+ listen $proxy_port;
+ rewrite ^/(.*)$ https://$host:$proxy_ssl_port/$1 redirect;
+ }
}
--
1.7.10.4