Ping a Specific Port

Question

kenlukas

Asked: 2018-10-10 09:25:02 +0800 CST2018-10-10 09:25:02 +0800 CST 2018-10-10 09:25:02 +0800 CST

Enable HTTP Strict Transport Header globally in HAProxy

772

I want to enable HTTP Strict Transport Security (HSTS) Headers globally for all my backends in HAProxy v1.5.

Following the instructions from https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/ I can add the following line to a backend configuration file and it works as expected.

http-response set-header Strict-Transport-Security max-age=16000000;\ 
includeSubDomains;\ preload;

I have a dozen backend files and will likely have more in the future. I'd like to set this in one place.

I'd like something similar to how it's set up globally in Apache's httpd.conf:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

2 Answers

Voted

longneck · Answer 1 · 2018-10-10T10:32:29+08:00

Best Answer

longneck

2018-10-10T10:32:29+08:002018-10-10T10:32:29+08:00

haproxy doesn't have hierarchical configuration like Apache does. I don't think this is possible.

3

Mansur Ul Hasan · Answer 2 · 2019-04-18T22:53:47+08:00

Now HAPROXY does support HSTS for this i have followed below steps

Here is my cfg file

Step # 1 Add static cipher (NOT NECESSARY I AM DOING FOR GOOD WIL )

frontend http-in
    bind 192.168.71.20:443 ssl crt /etc/ssl/private/domain.pem ca-file /etc/ssl/private/domain/domain.ca-bundle no-sslv3 force-tlsv12 no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4

Step # 2 Create ACL to mark secure packets

    # Distinguish between secure and insecure requests
acl secure dst_port eq 443

Secure your Cookie

    # Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure

Finally apply HSTS settings

    # Add the HSTS header with a 1 year max-age
rspadd Strict-Transport-Security:\ max-age=31536000 if secure

After that restart haproxy

Enable HTTP Strict Transport Header globally in HAProxy

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?