Thierry:
> Nginx: front end - reverse proxy
> Apache2: Back end - web server
hpkp is an header served to the client as response to an https request
I would add the Public-Key-Pins on the instance terminating the HTTPS request.
without rproxy I have this in /etc/nginx/sites-enabled/example.org
server {
listen *:443 ssl http2;
server_name example.org;
ssl_certificate /etc/ssl/example.org/cert+intermediate.pem;
ssl_certificate_key /etc/ssl/example.org/key.pem;
ssl_stapling_file /etc/ssl/example.org/ocsp.response;
add_header Public-Key-Pins "max-age=42424242;
pin-sha256=\"..pin1...\"; pin-sha256=\"..pin2...\";";
...
}
Andreas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx