Key pinning / Nginx reverse proxy
A. Schulze
sca at andreasschulze.de
Sat Feb 20 11:10:16 UTC 2016
Thierry:
> Nginx: front end - reverse proxy
> Apache2: Back end - web server
hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS request.
without rproxy I have this in /etc/nginx/sites-enabled/example.org
server {
listen *:443 ssl http2;
server_name example.org;
ssl_certificate /etc/ssl/example.org/cert+intermediate.pem;
ssl_certificate_key /etc/ssl/example.org/key.pem;
ssl_stapling_file /etc/ssl/example.org/ocsp.response;
add_header Public-Key-Pins "max-age=42424242;
pin-sha256=\"..pin1...\"; pin-sha256=\"..pin2...\";";
...
}
Andreas
More information about the nginx
mailing list