HAProxy – Enable HTTP Strict Transport Header Globally

haproxyhsts

I want to enable HTTP Strict Transport Security (HSTS) Headers globally for all my backends in HAProxy v1.5.

Following the instructions from https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/ I can add the following line to a backend configuration file and it works as expected.

http-response set-header Strict-Transport-Security max-age=16000000;\ 
includeSubDomains;\ preload;

I have a dozen backend files and will likely have more in the future. I'd like to set this in one place.

I'd like something similar to how it's set up globally in Apache's httpd.conf:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Best Answer

haproxy doesn't have hierarchical configuration like Apache does. I don't think this is possible.

Related Solutions

Ssl – How to horizontally scale SSL termination behind HAProxy load balancing

Firstly this adds unneccesary complexity to your webservers.

Secondly terminating the SSL connection at the LB means you can use keepalive on the client side for the connection reducing the complex part of establishing the connection. Also the most efficient use of resources is to group like workloads. Many people seperate static and dynamic content, SSL at the LB means that both can come from different servers through the same connection.

Thirdly SSL generally scales at a different rate than required by your web app. I think the lack of examples is due to the fact that a single LB pair or Round robin dns is enough for most people. It seems to me that you may be overestimating the SSL workload.

Also I am not sure about your reasoning regarding security. In addition to the fact that the webserver is already running far more services with possible exploits, if there are any vulnerabilities in the LB then you have just introduced them onto your webservers too!

Serve 404 from HAProxy when no acls match

If you would be okay with any of the following response codes: 200, 400, 403, 405, 408, 429, 500, 502, 503, or 504.

Then you could do something like this:

frontend www
  ...
  default_backend no-match

backend no-match
  mode http
  http-request deny deny_status 400

http-request: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-http-request
Accepted response codes described in errorfile: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#errorfile

Best Answer

Related Solutions

Ssl – How to horizontally scale SSL termination behind HAProxy load balancing

Serve 404 from HAProxy when no acls match

Related Topic