Duplicate Headers Found But I Can't See Them

  • I've finally migrated all of my web servers to use Nginx as a proxy running on a separate server which does nothing but serve as a proxy and manage SSL certs. But when I check raw headers for my new Nextcloud install, I get a warning stating there are duplicates found. The server running Nextcloud has Apache but no SSL configured as that's all managed through the proxy.

    Here is the warning I get.


    I don't have anything else running on this server except Nginx. There are other config files but they are for separate domains so I can't understand why it is telling me I have duplicates. I got this warning from both https://securityheaders.io and https://observatory.mozilla.org. Any ideas where I should be looking?

    Here is my Nginx conf file.

    server {
       listen 80;
       server_name mydomain.com;
       return 301 https://$server_name$request_uri;
    server {
      listen 443 ssl http2;
      server_name mydomain.com;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options nosniff;
      add_header Referrer-Policy strict-origin;
      ssl_stapling on;
      ssl_stapling_verify on;
      server_tokens off;
      ssl on;
      ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:10m;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      proxy_cookie_path / "/; secure; HttpOnly";
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_redirect off;
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

    My Nextcloud Apache conf file is this.

    <VirtualHost *:80>
     DocumentRoot "/var/www/nextcloud"
     ServerName mydomain.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
    <Directory /var/www/nextcloud/>
     Options +FollowSymlinks
     AllowOverride All
     <IfModule mod_dav.c>
     Dav off
     SetEnv HOME /var/www/nextcloud
     SetEnv HTTP_HOME /var/www/nextcloud

Log in to reply