Key pinning / Nginx reverse proxy

Thierry lenaigst at
Sun Feb 21 09:23:02 UTC 2016

Dear sir,

After I have executed the curl command, it seems that I have an answer 
from my Apache2 back end server (apache2.conf)
Yes  I  do  see  the "Public-Key-Pins:" line... And yes I do have the 
content that I expect.

Public-Key-Pins: pin-sha256="DZNsRcNIolhfdouihfazormhrfozef=";pin-sha256="633ltusrlsqhoagfdgfo79xMD9r9Q="; max-age=2592000; includeSubDomains

But, is it really the output of Apache2 ? There is a syntax difference 
between Nginx and Apache2:

Nginx:  pin-sha256="DZNsRcNIoiVdK8Img794j8/XGf4+6sDLFjADPWWOddw=";
Apache2:  pin-sha256=\"DZNsRcNIoirupeqrhfjpzehfrhfaefhpazf=\";

When  the curl command return me the result, I can see that there is 
no "\" ... Is it normal ?

If yes, why is  "" doesn't see anything concerning 
the HPKP ?


Le dimanche 21 février 2016 à 10:37:33, vous écriviez :

> On Sun, Feb 21, 2016 at 10:22:31AM +0200, Thierry wrote:

> Hi there,

>> Thx for your help, but I still do have the same problem.
>> Public Key Pinning (HPKP)       No
>> I don't know what to do anymore ...

> curl -I https://your-server/your-test-url

> Every line in that response comes from your nginx config (possibly
> including defaults) or your back-end config (passed through).

> Do you see a "Public-Key-Pins:" line?

> If so, does it have the content that you expect?

> If not, what part of your nginx config processed the request; and does
> that part have the add_header directive that you want?

> If this is a public web server without any special authentications,
> then the curl response contains no secrets.

>         f

 Thierry                            e-mail : lenaigst at

More information about the nginx mailing list