# Proxy Header Settings
# Use this with all reverse proxy vhosts

# Force http 1.1, anything not supporting it shouldn't be used
proxy_http_version 1.1;

# Replay attack mitigation for early data
proxy_set_header Early-Data $ssl_early_data;

# Restore visitor IP
proxy_set_header X-Real-IP $remote_addr;

# Forward host header
proxy_set_header Host $host;

# Upgrade connection
proxy_set_header   Upgrade $http_upgrade;
proxy_set_header   Connection "upgrade";

# Enable X-Forwarded headers
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Port $server_port;

# Hide X-Powered-By
proxy_hide_header X-Powered-By;

# CVE-2018-14773
proxy_set_header X-Original-URL "";
proxy_set_header X-Rewrite-URL "";

# Not the CVE, but is extremely similar
proxy_set_header X-Original-URI "";

# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
proxy_set_header X-Original-Method "";
proxy_set_header X-Forwarded-Method "";