Nginx – Strip Header on HTTP, Add Header on HTTPS

http-headersnginxPROXYsslweb-applications

I'm configuring an Nginx server so as to serve as a reverse proxy to serve a Django app (run on Gunicorn).

My problem is that I want my site secured with HTTPS, and so I want my Django app to be able to determine whether a connection is secure or not. I am using Django 1.4, so I do have access to the SECURE_PROXY_SSL_HEADER, which I configured as SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https').

Now, as mentionned by the documentation, I need to make sure that Nginx only adds the header when needed, and strips it when not. As I would like my Nginx configuration to be as DRY as possible, I'd rather not have two config files (one for port 80 and one for port 443).

Therefore, I'd like to know if there is a way in Nginx to determine whether the connection is https, and add (or strip) a header accordingly.

Best Answer

This solution does not describe how to strip a header on HTTP only, as asked in the question title.

A safe solution for your problem is to add

proxy_set_header  X-Forwarded-Protocol  $scheme;

It will set X-Forwarded-Protocol to http on HTTP requests and to https on HTTPS requests.

This makes sure that this header is overridden if the client set it, as required by https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header.

NOTE: If you are sharing your Django project, please make sure to sufficiently warn users about this if you are including SECURE_PROXY_SSL_HEADER in settings.py, and best comment it out by default.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – Why are nginx $scheme and $https always “secure” even when request is not

My bad. nginx does set $scheme (and presumably $https) as I would expect, per-request.

The trouble was the following node.js code:

var proto = req.headers['x-forwarded-proto'] || (req.connection.encrypted) ? 'https' : 'http';

It looks correct, but the operator precedence is actually wrong! Should be something like:

var proto = req.headers['x-forwarded-proto'] || ((req.connection.encrypted) ? 'https' : 'http');

Without the fix, whenever req.headers['x-forwarded-proto'] was present my local proto would get set to "https" even though the header from nginx was correct!

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – Why are nginx $scheme and $https always “secure” even when request is not

Related Topic