Key pinning / Nginx reverse proxy
Thierry
lenaigst at maelenn.org
Sun Feb 21 09:23:02 UTC 2016
Dear sir,
After I have executed the curl command, it seems that I have an answer
from my Apache2 back end server (apache2.conf)
Yes I do see the "Public-Key-Pins:" line... And yes I do have the
content that I expect.
Public-Key-Pins: pin-sha256="DZNsRcNIolhfdouihfazormhrfozef=";pin-sha256="633ltusrlsqhoagfdgfo79xMD9r9Q="; max-age=2592000; includeSubDomains
But, is it really the output of Apache2 ? There is a syntax difference
between Nginx and Apache2:
Nginx: pin-sha256="DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=";
Apache2: pin-sha256=\"DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=\";
When the curl command return me the result, I can see that there is
no "\" ... Is it normal ?
If yes, why is "ssllabs.com/ssltest" doesn't see anything concerning
the HPKP ?
Thx
Le dimanche 21 février 2016 à 10:37:33, vous écriviez :
> On Sun, Feb 21, 2016 at 10:22:31AM +0200, Thierry wrote:
> Hi there,
>> Thx for your help, but I still do have the same problem.
>>
>> Public Key Pinning (HPKP) No
>>
>> I don't know what to do anymore ...
> curl -I https://your-server/your-test-url
> Every line in that response comes from your nginx config (possibly
> including defaults) or your back-end config (passed through).
> Do you see a "Public-Key-Pins:" line?
> If so, does it have the content that you expect?
> If not, what part of your nginx config processed the request; and does
> that part have the add_header directive that you want?
> If this is a public web server without any special authentications,
> then the curl response contains no secrets.
> f
--
Cordialement,
Thierry e-mail : lenaigst at maelenn.org
More information about the nginx
mailing list