[BlueOnyx:22019] Re: nginx issue (another one)

[Michael Stauber]

Hi Maurice,

> That's weird. Every vsite config file for nginx at my system is missing
> the two lines
> add_header Strict-Transport-Security "max-age=25;" always;
> include /etc/nginx/headers.d/security.conf;

These two only get added if HSTS is enabled on a per Vsite level. Nginx
has the issue that if you use add_header in a Vsite context, then it
will (for that Vhost) ignore all previously set add_headers. So when
HSTS is enabled under "Vsite" > "SSL" the constructor not only adds the
HSTS header, but also puts in the include for
/etc/nginx/headers.d/security.conf so that we don't run that Vsite w/o that.

So with HSTS we have three options with Nginx:

- No HSTS at all.
- HSTS on a global level for all Vsites.
- HSTS globally off, but enabled individuall for selected Vsites.

With Apache we only have the first two options: Entirely off or globally
on. Which is less ideal if you have Vsites that still don't have an SSL
certificate. Nginx gives us more flexibility there.

> That was going to be my next problem to fix: in my apache logfiles I
> don't see the actual ip, but only the server ip.

Like said: That should not happen. In the "location / { ... }" block in
each /etc/nginx/vsites/site* file we use proxy_set_headers to make sure
the clients IP is passed on to Nginx.

> Is there a constructor or something I can run manually to try to get
> these vsite config files for nginx fixed?

In "Network Settings" / "Services" / "Web" toggle Nginx off, save and
toggle it back on and save again. That will update all
/etc/nginx/vsites/site* files again.

-- 
With best regards

Michael Stauber