Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HAProxy Security Headers (1.6+)
# Sampling of security headers
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header Referrer-Policy no-referrer-when-downgrade
@GitAlik

This comment has been minimized.

Copy link

@GitAlik GitAlik commented Jun 27, 2018

where do I need to add the followinf headers? can you please provide a sample ? as I`m adding it to my (use_backend) it is not working im setting it in my bind part iut is not working. please advise. give a sample please.

@GitAlik

This comment has been minimized.

Copy link

@GitAlik GitAlik commented Jun 27, 2018

#---------------------------------------------------------------------

Example configuration for a possible web application. See the

full configuration options online.

https://www.haproxy.org/download/1.8/doc/configuration.txt

#---------------------------------------------------------------------

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------

common defaults that all the 'listen' and 'backend' sections will

use if not designated in their block

#---------------------------------------------------------------------

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------

Stats

#---------------------------------------------------------------------
listen haproxy-stats-process-1
mode http
stats enable
stats hide-version
stats uri /
stats realm HAProxy\ Statistics
stats auth stat:CVFgu7aAtskGJgZE
bind *:8880
bind-process 1

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js

use_backend static if url_static

default_backend app

    acl host_allow hdr(host) -i -f /etc/haproxy/acl_header_web
    http-request deny if !host_allow

    acl is_web_server hdr(host) -i -f /etc/haproxy/acl_header_web

#--------------------------------------------------------------------

use_backend web_server if is_web_server

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
use_backend xen if is_web_server

backend xen
balance roundrobin
server xen:xen80 192.168.249.46:80 maxconn 1000
server xan:xan:80 192.168.249.101:80 maxconn 1000


For sample if this is my config where do I need to set headers ??

@troyfontaine

This comment has been minimized.

Copy link
Owner Author

@troyfontaine troyfontaine commented Sep 9, 2018

Woops, I guess I didn't receive a notification on your comments @GitAlik, these go in the frontend-ideally after your bind but before your ACLs (at least, that's how I organize them).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.