My site is vulnerable to the SSL FREAK attacks.

jinwon42 nginx-forum at nginx.us
Mon Apr 13 07:50:50 UTC 2015


my site is vulnerable to the SSL FREAK attacks.

i have a setting problem.

my setting is....
I want all request "http" --> "https"
But, some location is "https" --> "http".
ALL Location : https
/companyBrand.do : http only


What's problem?

---------------------------------------------------------------------------------------------------

    map $request_uri $example_org_preferred_proto {
	default "https";
	~^/mobile/rsvPayOnlyResult2.do "http";
	~^/kor/cartel.do "http";
    }

server {
        listen	443 ssl;
	listen	80;
        server_name  www.test.com;

	charset utf-8;

        #ssl                  on;
        ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
        ssl_certificate_key  D:/nginx-1.7.10/ssl/nopasswd.pem;
	ssl_verify_client off;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
        ssl_prefer_server_ciphers   on;

	error_page 400	/error/error.html;
	error_page 403	/error/error.html;
	error_page 404	/error/error.html;

	if ($scheme != $example_org_preferred_proto) {
		return 301 $example_org_preferred_proto://$server_name$request_uri;
	}

        location / {
           proxy_set_header Host                $host;
           proxy_set_header X-Real-IP            $remote_addr;
           proxy_set_header X-Forwarded-Host    $host;
           proxy_set_header X-Forwarded-Server    $host;
           proxy_set_header X-Forwarded-For       
$proxy_add_x_forwarded_for;
	   proxy_set_header X-Forwarded-Proto 	$scheme;
           proxy_set_header        Host $http_host;
	   proxy_buffering off;
           proxy_connect_timeout 60;
           proxy_read_timeout 60;
           proxy_pass   http://wwwtestcom;
	   proxy_ssl_session_reuse off;
        }
     }

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257984,257984#msg-257984



More information about the nginx mailing list