starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1005] Unnecessary HSTS header over HTTP #846

New issue
Closed
opened 2026-02-26 06:34:39 +03:00 by kerem · 4 comments
kerem commented 2026-02-26 06:34:39 +03:00
Owner
Copy link

Originally created by @DarioViva42 on GitHub (Apr 9, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1005

grafik

I wanted to add my Website to the hsts-preload list: https://hstspreload.org/
With the current configuration I was able to add my site to the list. But I still have this very annoying message.
The hsts header should only be added if i access the page with https, but not when i access it over http.
grafik

I have tried a lot of different methods over the last days, but none seemed to work. First I tried to add the header in my node application instead of in the npm (not node package manager, but nginx proxy manager). But this obviously does not work, as the https terminates at the npm. so req.connection.enrypted is always undefined.

var proto = req.connection.encrypted ? 'https' : 'http';
if (proto =="https") {
  res.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains; preload");
}

I also tried to solve it in the advanced settings:
grafik

but this immediately makes the applikation stop working.
grafik

It really seemes that I am not able to solve this problem on my own and I need your help. I think the problem needs to be tackled inside npm itself.

Kind Regards

Dario Viva

Originally created by @DarioViva42 on GitHub (Apr 9, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1005 ![grafik](https://user-images.githubusercontent.com/45972949/114214087-2adf7900-9964-11eb-8d9e-5851c6dda60e.png) I wanted to add my Website to the hsts-preload list: https://hstspreload.org/ With the current configuration I was able to add my site to the list. But I still have this very annoying message. The hsts header should only be added if i access the page with https, but not when i access it over http. ![grafik](https://user-images.githubusercontent.com/45972949/114216081-b8bc6380-9966-11eb-9810-c325afdf28b5.png) I have tried a lot of different methods over the last days, but none seemed to work. First I tried to add the header in my node application instead of in the npm (not node package manager, but nginx proxy manager). But this obviously does not work, as the https terminates at the npm. so req.connection.enrypted is always undefined. ```js var proto = req.connection.encrypted ? 'https' : 'http'; if (proto =="https") { res.setHeader("Strict-Transport-Security", "max-age=31536000;includeSubDomains; preload"); } ``` I also tried to solve it in the advanced settings: ![grafik](https://user-images.githubusercontent.com/45972949/114215573-097f8c80-9966-11eb-82c8-b148740be623.png) but this immediately makes the applikation stop working. ![grafik](https://user-images.githubusercontent.com/45972949/114215749-464b8380-9966-11eb-9267-a5cba4f2675a.png) It really seemes that I am not able to solve this problem on my own and I need your help. I think the problem needs to be tackled inside npm itself. Kind Regards Dario Viva
kerem 2026-02-26 06:34:39 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-26 06:34:40 +03:00
Author
Owner
Copy link

@l4rm4nd commented on GitHub (Jun 22, 2021):

Put the following line into your advanced configuration of npm:

include conf.d/include/force-ssl.conf;

image

This ensures that your site is only accessible by an encrypted communication channel (HTTPS). If a request occurs on HTTP, a redirect to HTTPS will take place.

<!-- gh-comment-id:866049886 --> @l4rm4nd commented on GitHub (Jun 22, 2021): Put the following line into your advanced configuration of npm: `include conf.d/include/force-ssl.conf;` ![image](https://user-images.githubusercontent.com/21357789/122946278-87561000-d379-11eb-9c9a-247f9595ef6f.png) This ensures that your site is only accessible by an encrypted communication channel (HTTPS). If a request occurs on HTTP, a redirect to HTTPS will take place.
kerem commented 2026-02-26 06:34:40 +03:00
Author
Owner
Copy link

@DarioViva42 commented on GitHub (Dec 2, 2023):

@l4rm4nd sorry for taking so long to respond to you (wow its more than two years past)
I just wanted you to inform you that your solution sadly did not work.
But I found something that should probably work.
https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/
but this configuration can probably not changed easily by myself.
when i add map into the Custom Nginx Configuration field the service goes offline.

<!-- gh-comment-id:1836994212 --> @DarioViva42 commented on GitHub (Dec 2, 2023): @l4rm4nd sorry for taking so long to respond to you (wow its more than two years past) I just wanted you to inform you that your solution sadly did not work. But I found something that should probably work. https://websistent.com/add-the-hsts-header-only-for-https-requests-nginx/ but this configuration can probably not changed easily by myself. when i add map into the Custom Nginx Configuration field the service goes offline.
kerem commented 2026-02-26 06:34:40 +03:00
Author
Owner
Copy link

@andresatierf commented on GitHub (Jan 24, 2024):

@jc21 I believe this change causes something to break. I don't know a lot about nginx but recently I can't add a location block to my proxy hosts without them going offline. I looked around for the problem and found this in the db
image
as well as this change compared to previously created files
image
(sorry for the colorscheme)

<!-- gh-comment-id:1908793861 --> @andresatierf commented on GitHub (Jan 24, 2024): @jc21 I believe this change causes something to break. I don't know a lot about nginx but recently I can't add a location block to my proxy hosts without them going offline. I looked around for the problem and found this in the db ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/29847057/e334cb75-062a-4362-8bcb-d33a24253a92) as well as this change compared to previously created files ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/29847057/16fbf871-4670-4280-bde1-52175117d3e4) (sorry for the colorscheme)
kerem commented 2026-02-26 06:34:40 +03:00
Author
Owner
Copy link

@DarioViva42 commented on GitHub (Jan 24, 2024):

Hey @andresatierf
I am sorry if this change really causes your break. I modified the files to the best of my knowledge, but I was never able to build it locally.
@jc21 was so kind to merge this, so I figured that my commit was alright.

<!-- gh-comment-id:1909018661 --> @DarioViva42 commented on GitHub (Jan 24, 2024): Hey @andresatierf I am sorry if this change really causes your break. I modified the files to the best of my knowledge, but I was never able to build it locally. @jc21 was so kind to merge this, so I figured that my commit was alright.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#846
No description provided.