search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
21.77k stars 2.52k forks source link

Unnecessary HSTS header over HTTP #1005

Closed DarioViva42 closed 7 months ago

DarioViva42 commented 3 years ago

grafik

I wanted to add my Website to the hsts-preload list: https://hstspreload.org/ With the current configuration I was able to add my site to the list. But I still have this very annoying message. The hsts header should only be added if i access the page with https, but not when i access it over http. grafik

I have tried a lot of different methods over the last days, but none seemed to work. First I tried to add the header in my node application instead of in the npm (not node package manager, but nginx proxy manager). But this obviously does not work, as the https terminates at the npm. so req.connection.enrypted is always undefined.

var proto = req.connection.encrypted ? 'https' : 'http';
if (proto =="https") {
  res.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains; preload");
}

I also tried to solve it in the advanced settings: grafik

but this immediately makes the applikation stop working. grafik

It really seemes that I am not able to solve this problem on my own and I need your help. I think the problem needs to be tackled inside npm itself.

Kind Regards

Dario Viva

l4rm4nd commented 3 years ago

Put the following line into your advanced configuration of npm:

include conf.d/include/force-ssl.conf;

image

This ensures that your site is only accessible by an encrypted communication channel (HTTPS). If a request occurs on HTTP, a redirect to HTTPS will take place.

DarioViva42 commented 9 months ago

@l4rm4nd sorry for taking so long to respond to you (wow its more than two years past) I just wanted you to inform you that your solution sadly did not work. But I found something that should probably work. https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/ but this configuration can probably not changed easily by myself. when i add map into the Custom Nginx Configuration field the service goes offline.

andresatierf commented 7 months ago

@jc21 I believe this change causes something to break. I don't know a lot about nginx but recently I can't add a location block to my proxy hosts without them going offline. I looked around for the problem and found this in the db image as well as this change compared to previously created files image (sorry for the colorscheme)

DarioViva42 commented 7 months ago

Hey @andresatierf I am sorry if this change really causes your break. I modified the files to the best of my knowledge, but I was never able to build it locally. @jc21 was so kind to merge this, so I figured that my commit was alright.