search

toomuchio / plex-nginx-reverseproxy

Configuration to serve Plex Media Center https://plex.tv using Nginx https://nginx.com
663 stars 94 forks source link

Add Strict-Transport-Security header #1

Closed sander1 closed 7 years ago

sander1 commented 7 years ago

Prevent multiple (possible) redirects from http to https by instructing modern browsers to always use https: https://bjornjohansen.no/optimizing-https-nginx

toomuchio commented 7 years ago

text/html is a nice catch, I remember having not included that due to the fact the html code that Plex pushes is always very little, mostly just bootstrapping a ton javascript and css. Always less than 1000 bytes.

With regards to the HSTS Plex says in a few places, I think one is when you turn on required for the secure connections that it may also still send some requests unencrypted. I was waiting to see if any issues were raised about incompatibility before forcing HSTS since once you perform that, you cannot take it back until the rule expires.

However presently you can just remove the "server { listen 80" block and add listen 80 to the secure block and you're good to go again.

toomuchio commented 7 years ago

Applied your suggestions had to make some alterations. Thanks for that :)