bundles/nginx: do not set X-Forwarded-Proto if https is disabled, do not use http2 without ssl

This commit is contained in:
Franzi 2020-09-20 15:46:39 +02:00
parent 6a67b1a4ae
commit 151d8e92c3
Signed by: kunsi
GPG key ID: 12E3D2136B818350

View file

@ -15,16 +15,16 @@ server {
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% else: % else:
listen 80 http2; listen 80;
listen [::]:80 http2; listen [::]:80;
% endif % endif
resolver 8.8.8.8 8.8.4.4 valid=300s; resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s; resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
% if not do_not_set_content_security_headers: % if not do_not_set_content_security_headers:
add_header Referrer-Policy same-origin; add_header Referrer-Policy same-origin;
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
@ -42,7 +42,9 @@ server {
proxy_set_header Host ${domain}; proxy_set_header Host ${domain};
proxy_set_header X-Script-Name /; proxy_set_header X-Script-Name /;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
% if node.metadata['nginx']['use_ssl_for_all_connections']:
proxy_set_header X-Forwarded-Proto HTTPS; proxy_set_header X-Forwarded-Proto HTTPS;
% endif
proxy_set_header X-Forwarded-Host ${domain}; proxy_set_header X-Forwarded-Host ${domain};
proxy_buffering off; proxy_buffering off;
} }