Skip to content

Unnecessary HSTS header over HTTP #1005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DarioViva42 opened this issue Apr 9, 2021 · 4 comments · Fixed by #3360
Closed

Unnecessary HSTS header over HTTP #1005

DarioViva42 opened this issue Apr 9, 2021 · 4 comments · Fixed by #3360
Labels
bug

Comments

@DarioViva42
Copy link
Contributor

grafik

I wanted to add my Website to the hsts-preload list: https://hstspreload.org/
With the current configuration I was able to add my site to the list. But I still have this very annoying message.
The hsts header should only be added if i access the page with https, but not when i access it over http.
grafik

I have tried a lot of different methods over the last days, but none seemed to work. First I tried to add the header in my node application instead of in the npm (not node package manager, but nginx proxy manager). But this obviously does not work, as the https terminates at the npm. so req.connection.enrypted is always undefined.

var proto = req.connection.encrypted ? 'https' : 'http';
if (proto =="https") {
  res.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains; preload");
}

I also tried to solve it in the advanced settings:
grafik

but this immediately makes the applikation stop working.
grafik

It really seemes that I am not able to solve this problem on my own and I need your help. I think the problem needs to be tackled inside npm itself.

Kind Regards

Dario Viva
@DarioViva42 DarioViva42 added the bug label Apr 9, 2021
@l4rm4nd
Copy link

l4rm4nd commented Jun 22, 2021

Put the following line into your advanced configuration of npm:

include conf.d/include/force-ssl.conf;

image

This ensures that your site is only accessible by an encrypted communication channel (HTTPS). If a request occurs on HTTP, a redirect to HTTPS will take place.

@DarioViva42
Copy link
Contributor Author

@l4rm4nd sorry for taking so long to respond to you (wow its more than two years past)
I just wanted you to inform you that your solution sadly did not work.
But I found something that should probably work.
https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/
but this configuration can probably not changed easily by myself.
when i add map into the Custom Nginx Configuration field the service goes offline.

DarioViva42 added a commit to DarioViva42/nginx-proxy-manager that referenced this issue Dec 2, 2023
@DarioViva42
only add hsts header with https.
289e438 
fixes NginxProxyManager#1005
for more information look at: https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/
@DarioViva42 DarioViva42 mentioned this issue Dec 2, 2023
Merged
@jc21 jc21 closed this as completed in #3360 Jan 8, 2024
@andresatierf
Copy link

@jc21 I believe this change causes something to break. I don't know a lot about nginx but recently I can't add a location block to my proxy hosts without them going offline. I looked around for the problem and found this in the db
image
as well as this change compared to previously created files
image
(sorry for the colorscheme)

@DarioViva42
Copy link
Contributor Author

Hey @andresatierf
I am sorry if this change really causes your break. I modified the files to the best of my knowledge, but I was never able to build it locally.
@jc21 was so kind to merge this, so I figured that my commit was alright.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

only add hsts header with https. DarioViva42/nginx-proxy-manager
3 participants
@l4rm4nd @andresatierf @DarioViva42