2

I want to enable HTTP Strict Transport Security (HSTS) Headers globally for all my backends in HAProxy v1.5.

Following the instructions from https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/ I can add the following line to a backend configuration file and it works as expected.

http-response set-header Strict-Transport-Security max-age=16000000;\ 
includeSubDomains;\ preload;

I have a dozen backend files and will likely have more in the future. I'd like to set this in one place.

I'd like something similar to how it's set up globally in Apache's httpd.conf:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
kenlukas
  • 2,886
  • 2
  • 14
  • 25
  • 2
    Initial research would seem to indicate that this cannot be done given the `http-response` can only be configured in frontend, listen, or backend, but not defaults. https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-http-request – slm Oct 09 '18 at 18:39

2 Answers2

3

haproxy doesn't have hierarchical configuration like Apache does. I don't think this is possible.

longneck
  • 22,793
  • 4
  • 50
  • 84
0

Now HAPROXY does support HSTS for this i have followed below steps

Here is my cfg file

Step # 1 Add static cipher (NOT NECESSARY I AM DOING FOR GOOD WIL )

frontend http-in
    bind 192.168.71.20:443 ssl crt /etc/ssl/private/domain.pem ca-file /etc/ssl/private/domain/domain.ca-bundle no-sslv3 force-tlsv12 no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4

Step # 2 Create ACL to mark secure packets

    # Distinguish between secure and insecure requests
acl secure dst_port eq 443

Secure your Cookie

    # Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure

Finally apply HSTS settings

    # Add the HSTS header with a 1 year max-age
rspadd Strict-Transport-Security:\ max-age=31536000 if secure

After that restart haproxy

Mansur Ul Hasan
  • 264
  • 3
  • 9