ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Question about Headers IIS reverse proxy with NGINX

    Scheduled Pinned Locked Moved IT Discussion
    1 Posts 1 Posters 279 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi

      I was wondering if someone could shed some light on the issue im having,

      Currently i have working great NGINX as reverse proxy for my IIS

      Im trying to get working the Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options working my NGINX but it keeps showing that its not getting applied when i check

      https://securityheaders.com
      fd4667f5-f05a-4b83-afe4-a8fb4cd4a6ec-image.png

      #        listen 80;
         listen 443 ssl;
       server_name  sub.domain.com;
      
        ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
              ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
              ssl_dhparam /etc/ssl/certs/dhparam.pem;
              ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
              ssl_session_timeout 1d;
              ssl_session_cache shared:SSL:50m;
              ssl_stapling on;
             ssl_stapling_verify on;
      
      ## security headers
      # Block loading in an iFrame
      add_header X-Frame-Options SAMEORIGIN;
      # Enforce HTTPS
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
      # Blocks hidden malicious scripts
      add_header X-Content-Type-Options nosniff;
      # Stops scripts from unknown sources
      add_header X-XSS-Protection "1; mode=block";
      # Content security policy
      add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
      # Referal policy
      add_header Referrer-Policy "origin-when-cross-origin" always;
      # permision policy
      add_header Feature-Policy "camera 'none'; microphone 'none'; geolocation 'none'" always;
      add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
      
              location ~ /.well-known {
              root /var/www/letsencrypt;
              allow all;
          }
              location / {
      
                     proxy_pass http://192.168.3.211:8096/;
      
      #                headers setting
      
                      proxy_set_header Host $host;
      
                      proxy_set_header X-Real-IP $remote_addr;
      
                      proxy_set_header X-Forwarded-For $remote_addr;
      
                      proxy_set_header X-Forwarded-Proto $scheme;
                      proxy_set_header X-Client-IP $remote_addr;
      
                      }
      
              }
      

      im going to assume

      proxy_set_header Host $host; is what shows the header of the IIS?

      Thank you

      1 Reply Last reply Reply Quote 0
      • 1 / 1
      • First post
        Last post