From: Aline Manera <alinefm@br.ibm.com> Improve kimchi security by redirecting all HTTP requests to HTTPS that way we make sure all information will be send in a secure way to and from the server. Also add Strict-Transport-Security header to avoid SSL stripping (https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping) Signed-off-by: Aline Manera <alinefm@br.ibm.com> --- src/nginx.conf.in | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/nginx.conf.in b/src/nginx.conf.in index 967b46b..9218032 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -17,7 +17,6 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301 USA - # This is a template file to be used to generate a nginx # proxy config file at kimchid script. @@ -30,7 +29,6 @@ events { worker_connections 1024; } - http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -38,18 +36,26 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; - - sendfile on; + sendfile on; server { - listen $proxy_port; listen $proxy_ssl_port ssl; + ssl_certificate $cert_pem; ssl_certificate_key $cert_key; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + location / { proxy_pass http://localhost:$kimchid_port; proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } + + server { + listen $proxy_port; + rewrite ^/(.*)$ https://$host:$proxy_ssl_port/$1 redirect; + } } -- 1.7.10.4