-
-
Save troyfontaine/621af8194f01294fff36ede485c4d7cc to your computer and use it in GitHub Desktop.
# Sampling of security headers | |
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
http-response set-header X-Frame-Options SAMEORIGIN | |
http-response set-header X-XSS-Protection "1; mode=block" | |
http-response set-header Referrer-Policy no-referrer-when-downgrade |
#---------------------------------------------------------------------
Example configuration for a possible web application. See the
full configuration options online.
https://www.haproxy.org/download/1.8/doc/configuration.txt
#---------------------------------------------------------------------
#---------------------------------------------------------------------
Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
common defaults that all the 'listen' and 'backend' sections will
use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
Stats
#---------------------------------------------------------------------
listen haproxy-stats-process-1
mode http
stats enable
stats hide-version
stats uri /
stats realm HAProxy\ Statistics
stats auth stat:CVFgu7aAtskGJgZE
bind *:8880
bind-process 1
#---------------------------------------------------------------------
main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
acl host_allow hdr(host) -i -f /etc/haproxy/acl_header_web
http-request deny if !host_allow
acl is_web_server hdr(host) -i -f /etc/haproxy/acl_header_web
#--------------------------------------------------------------------
use_backend web_server if is_web_server
#---------------------------------------------------------------------
static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
use_backend xen if is_web_server
backend xen
balance roundrobin
server xen:xen80 192.168.249.46:80 maxconn 1000
server xan:xan:80 192.168.249.101:80 maxconn 1000
For sample if this is my config where do I need to set headers ??
Woops, I guess I didn't receive a notification on your comments @GitAlik, these go in the frontend-ideally after your bind but before your ACLs (at least, that's how I organize them).
where do I need to add the followinf headers? can you please provide a sample ? as I`m adding it to my (use_backend) it is not working im setting it in my bind part iut is not working. please advise. give a sample please.