Key pinning / Nginx reverse proxy

A. Schulze sca at
Sat Feb 20 11:10:16 UTC 2016


> Nginx: front end - reverse proxy
> Apache2: Back end - web server

hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS request.

without rproxy I have this in /etc/nginx/sites-enabled/

server {
     listen                      *:443 ssl http2;
     server_name       ;
     ssl_certificate             /etc/ssl/;
     ssl_certificate_key         /etc/ssl/;
     ssl_stapling_file           /etc/ssl/;
     add_header                  Public-Key-Pins "max-age=42424242;  
pin-sha256=\"..pin1...\"; pin-sha256=\"..pin2...\";";


More information about the nginx mailing list