id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1181,"""Vary: X-Forwarded-Proto"" should be removed",shaula@…,,"I'm using Nginx as SSL terminator and I've got the following setup: {{{ Internet --> Nginx:443 --> Varnish:6080 --> Apache:80 }}} '''Details''' Doing this I use this as part of my config: {{{ location / { proxy_pass http://127.0.0.1:6080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $host; } }}} While Apache sees the request header ""X-Forwarded-Proto: https"" it adds a response header ""Vary: X-Forwarded-Proto"". Depending on the resource it might also send a ""Vary: X-Forwarded-Proto, Accept-Encoding"". Now this Vary header is useful, because Varnish can create different cache entries for pages that are HTTPS over HTTP and another one for plain-HTTP. '''Request for change''' As Nginx runs as SSL terminator it should remove the response header value ""X-Forwarded-Proto"" from the ""Vary"" header! In some cases other Vary values such as ""Accept-Encoding"" should be kept. '''Reasoning''' Nginx terminated SSL, so we tell all services behind that this request was orignally an HTTPS one by using ""X-Forwarded-Proto: https"". As this request header was not present on the outside (Internet), it makes no sense to keep ""Vary: X-Forwarded-Proto"". '''Effects''' Keeping a ""Vary: X-Forwarded-Proto"" causes cache malfunctioning in IE9+ (see also: https://blogs.msdn.microsoft.com/ieinternals/2009/06/17/vary-with-care/). IE refuses to cache stuff with ""custom"" Vary values. In addition it refuses to use webfonts, e.g. woff2 files, served with this response header. '''Side Note''' If Apache is used as SSL terminator it does exactly this.",enhancement,closed,major,,nginx-core,1.10.x,wontfix,,,Linux _CAMOUFLAGED_ 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.10.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' "