[Kimchi-devel] [PATCH] security: Redirect all HTTP requests to HTTPS
Daniel H Barboza
danielhb at linux.vnet.ibm.com
Mon Apr 28 17:49:31 UTC 2014
Reviewed-by: Daniel Barboza <danielhb at linux.vnet.ibm.com>
On 04/25/2014 03:03 PM, Aline Manera wrote:
> From: Aline Manera <alinefm at br.ibm.com>
>
> Improve kimchi security by redirecting all HTTP requests to HTTPS that
> way we make sure all information will be send in a secure way to and
> from the server.
>
> Also add Strict-Transport-Security header to avoid SSL stripping
> (https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping)
>
> Signed-off-by: Aline Manera <alinefm at br.ibm.com>
> ---
> src/nginx.conf.in | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/src/nginx.conf.in b/src/nginx.conf.in
> index 967b46b..9218032 100644
> --- a/src/nginx.conf.in
> +++ b/src/nginx.conf.in
> @@ -17,7 +17,6 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> # 02110-1301 USA
>
> -
> # This is a template file to be used to generate a nginx
> # proxy config file at kimchid script.
>
> @@ -30,7 +29,6 @@ events {
> worker_connections 1024;
> }
>
> -
> http {
>
> log_format main '$remote_addr - $remote_user [$time_local] "$request" '
> @@ -38,18 +36,26 @@ http {
> '"$http_user_agent" "$http_x_forwarded_for"';
>
> access_log /var/log/nginx/access.log main;
> -
> - sendfile on;
> + sendfile on;
>
> server {
> - listen $proxy_port;
> listen $proxy_ssl_port ssl;
> +
> ssl_certificate $cert_pem;
> ssl_certificate_key $cert_key;
>
> + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
> +
> location / {
> proxy_pass http://localhost:$kimchid_port;
> proxy_set_header Host $host;
> + proxy_set_header X-Real-IP $remote_addr;
> + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> }
> }
> +
> + server {
> + listen $proxy_port;
> + rewrite ^/(.*)$ https://$host:$proxy_ssl_port/$1 redirect;
> + }
> }
More information about the Kimchi-devel
mailing list