46 lines
1.4 KiB
Plaintext
46 lines
1.4 KiB
Plaintext
# Proxy Header Settings
|
|
# Use this with all reverse proxy vhosts
|
|
|
|
# Force http 1.1, anything not supporting it shouldn't be used
|
|
proxy_http_version 1.1;
|
|
|
|
# Signal to upstream whether ssl_early_data is used
|
|
proxy_set_header Early-Data $ssl_early_data;
|
|
|
|
# Restore visitor IP
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
# Forward host header
|
|
proxy_set_header Host $host;
|
|
|
|
# Upgrade connection
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# Enable X-Forwarded headers
|
|
|
|
## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists
|
|
## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this
|
|
## correctly, it could result in security issues.
|
|
## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough.
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# Hide X-Powered-By
|
|
proxy_hide_header X-Powered-By;
|
|
|
|
# CVE-2018-14773
|
|
proxy_set_header X-Original-URL "";
|
|
proxy_set_header X-Rewrite-URL "";
|
|
|
|
# Not the CVE, but is extremely similar
|
|
proxy_set_header X-Original-URI "";
|
|
|
|
# Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
|
|
proxy_set_header X-Original-Method "";
|
|
proxy_set_header X-Forwarded-Method "";
|