Nginx/Apache: set HSTS only if X-Forwarded-Proto is https
Solution 1:
You could have multiple server blocks. So just add new server block for domains that need HSTS.
server {
listen xx.xx.xxx.xxx:443 ssl default_server;
# all ssl stuff
# and other directives
}
server {
listen xx.xx.xxx.xxx:443 ssl;
server_name example.com other.example.com;
# all ssl stuff
# and other directives with HSTS enabled
}
Here first block will handle all https connections except example.com
and other.example.com
.
And you don't need ssl on
directive if you have ssl
flag in listen
.
EDIT
There is another solution with only one server block:
map $scheme:$host $hsts_header {
default "";
https:example.com "max-age=31536000";
https:other.example.com "max-age=31536000";
}
server {
server_tokens off;
listen xx.xx.xxx.xxx:80;
listen xx.xx.xxx.xxx:443 ssl;
ssl_certificate /etc/ssl/foo.crt;
ssl_certificate_key /etc/ssl/private/foo.key;
ssl_session_timeout 10m;
# ... other ssl stuff
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Host $host;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security $hsts_header;
}
}
We use map
to define HSTS header value and use the fact, than nginx will not add header with empty value.