My site is vulnerable to the SSL FREAK attacks.

jinwon42 nginx-forum at
Mon Apr 13 07:50:50 UTC 2015

my site is vulnerable to the SSL FREAK attacks.

i have a setting problem.

my setting is....
I want all request "http" --> "https"
But, some location is "https" --> "http".
ALL Location : https
/ : http only

What's problem?


    map $request_uri $example_org_preferred_proto {
	default "https";
	~^/mobile/ "http";
	~^/kor/ "http";

server {
        listen	443 ssl;
	listen	80;

	charset utf-8;

        #ssl                  on;
        ssl_certificate      D:/nginx-1.7.10/ssl/cert.pem;
        ssl_certificate_key  D:/nginx-1.7.10/ssl/nopasswd.pem;
	ssl_verify_client off;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers  AES256-SHA:HIGH:!EXPORT:!eNULL:!ADH:RC4+RSA;
        ssl_prefer_server_ciphers   on;

	error_page 400	/error/error.html;
	error_page 403	/error/error.html;
	error_page 404	/error/error.html;

	if ($scheme != $example_org_preferred_proto) {
		return 301 $example_org_preferred_proto://$server_name$request_uri;

        location / {
           proxy_set_header Host                $host;
           proxy_set_header X-Real-IP            $remote_addr;
           proxy_set_header X-Forwarded-Host    $host;
           proxy_set_header X-Forwarded-Server    $host;
           proxy_set_header X-Forwarded-For       
	   proxy_set_header X-Forwarded-Proto 	$scheme;
           proxy_set_header        Host $http_host;
	   proxy_buffering off;
           proxy_connect_timeout 60;
           proxy_read_timeout 60;
           proxy_pass   http://wwwtestcom;
	   proxy_ssl_session_reuse off;

Posted at Nginx Forum:,257984,257984#msg-257984

More information about the nginx mailing list