NGINX-Configs/etc/nginx/snippets/proxy.conf

# Proxy Header Settings
# Use this with all reverse proxy vhosts

# Force http 1.1, anything not supporting it shouldn't be used
proxy_http_version 1.1;

# Replay attack mitigation for early data
proxy_set_header Early-Data $ssl_early_data;

# Restore visitor IP
proxy_set_header X-Real-IP $remote_addr;

# Forward host header
proxy_set_header Host $host;

# Upgrade connection
proxy_set_header   Upgrade $http_upgrade;
proxy_set_header   Connection "upgrade";

# Enable X-Forwarded headers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Port $server_port;

# Hide X-Powered-By
proxy_hide_header X-Powered-By;

# CVE-2018-14773
proxy_set_header X-Original-URL "";
proxy_set_header X-Rewrite-URL "";

# Not the CVE, but is extremely similar
proxy_set_header X-Original-URI "";

# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
proxy_set_header X-Original-Method "";
proxy_set_header X-Forwarded-Method "";
Initial file upload Signed-off-by: Tommy <contact@tommytran.io> 2024-06-24 10:21:29 -07:00			`# Proxy Header Settings`
			`# Use this with all reverse proxy vhosts`

			`# Force http 1.1, anything not supporting it shouldn't be used`
			`proxy_http_version 1.1;`

			`# Replay attack mitigation for early data`
			`proxy_set_header Early-Data $ssl_early_data;`

			`# Restore visitor IP`
			`proxy_set_header X-Real-IP $remote_addr;`

			`# Forward host header`
Change proxy_set_header Host back to $host Signed-off-by: Tommy <contact@tommytran.io> 2024-10-21 05:13:09 -07:00			`proxy_set_header Host $host;`
Initial file upload Signed-off-by: Tommy <contact@tommytran.io> 2024-06-24 10:21:29 -07:00
			`# Upgrade connection`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

			`# Enable X-Forwarded headers`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
Add extra headers Signed-off-by: Tommy <contact@tommytran.io> 2024-10-13 01:25:32 -07:00			`proxy_set_header X-Forwarded-Host $host;`
Use http_host Signed-off-by: Tommy <contact@tommytran.io> 2024-10-12 23:54:54 -07:00			`proxy_set_header X-Forwarded-Proto $scheme;`
Add extra headers Signed-off-by: Tommy <contact@tommytran.io> 2024-10-13 01:25:32 -07:00			`proxy_set_header X-Forwarded-Ssl on;`
			`proxy_set_header X-Forwarded-Port $server_port;`
Hide X-Powered-By 2024-10-13 05:15:14 -07:00
			`# Hide X-Powered-By`
Change proxy_set_header Host back to $host Signed-off-by: Tommy <contact@tommytran.io> 2024-10-21 05:13:09 -07:00			`proxy_hide_header X-Powered-By;`
Block dangerous X headers 2025-01-03 06:15:48 -07:00
			`# CVE-2018-14773`
			`proxy_set_header X-Original-URL "";`
			`proxy_set_header X-Rewrite-URL "";`

			`# Not the CVE, but is extremely similar`
			`proxy_set_header X-Original-URI "";`

			`# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735`
			`proxy_set_header X-Original-Method "";`
			`proxy_set_header X-Forwarded-Method "";`