Created
November 22, 2017 06:03
-
-
Save troyfontaine/621af8194f01294fff36ede485c4d7cc to your computer and use it in GitHub Desktop.
HAProxy Security Headers (1.6+)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sampling of security headers | |
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
http-response set-header X-Frame-Options SAMEORIGIN | |
http-response set-header X-XSS-Protection "1; mode=block" | |
http-response set-header Referrer-Policy no-referrer-when-downgrade |
Woops, I guess I didn't receive a notification on your comments @GitAlik, these go in the frontend-ideally after your bind but before your ACLs (at least, that's how I organize them).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#---------------------------------------------------------------------
Example configuration for a possible web application. See the
full configuration options online.
https://www.haproxy.org/download/1.8/doc/configuration.txt
#---------------------------------------------------------------------
#---------------------------------------------------------------------
Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
#---------------------------------------------------------------------
common defaults that all the 'listen' and 'backend' sections will
use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
Stats
#---------------------------------------------------------------------
listen haproxy-stats-process-1
mode http
stats enable
stats hide-version
stats uri /
stats realm HAProxy\ Statistics
stats auth stat:CVFgu7aAtskGJgZE
bind *:8880
bind-process 1
#---------------------------------------------------------------------
main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
#--------------------------------------------------------------------
use_backend web_server if is_web_server
#---------------------------------------------------------------------
static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
use_backend xen if is_web_server
backend xen
balance roundrobin
server xen:xen80 192.168.249.46:80 maxconn 1000
server xan:xan:80 192.168.249.101:80 maxconn 1000
For sample if this is my config where do I need to set headers ??