Skip to content

Commit

Permalink
update security-header handling
Browse files Browse the repository at this point in the history
  • Loading branch information
ansibleguy committed May 31, 2024
1 parent b48c241 commit 5253e25
Show file tree
Hide file tree
Showing 7 changed files with 22 additions and 20 deletions.
10 changes: 5 additions & 5 deletions ExampleAcme.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,11 +103,11 @@ root@test-ag-haproxy-acme:/# cat /etc/haproxy/conf.d/frontend.cfg
> http-request deny status 405 default-errorfiles if { method TRACE CONNECT }
>
> # Security headers
> http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
> http-response set-header X-Frame-Options "DENY"
> http-response set-header X-Content-Type-Options "nosniff"
> http-response set-header X-Permitted-Cross-Domain-Policies "none"
> http-response set-header X-XSS-Protection "1; mode=block"
> http-response add-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if !{ res.hdr(Strict-Transport-Security) -m found }
> http-response add-header X-Frame-Options "SAMEORIGIN" if !{ res.hdr(X-Frame-Options) -m found }
> http-response add-header X-Content-Type-Options "nosniff" if !{ res.hdr(X-Content-Type-Options) -m found }
> http-response add-header X-Permitted-Cross-Domain-Policies "none" if !{ res.hdr(X-Permitted-Cross-Domain-Policies) -m found }
> http-response add-header X-XSS-Protection "1; mode=block" if !{ res.hdr(X-XSS-Protection) -m found }
>
> http-request capture req.fhdr(User-Agent) len 200
>
Expand Down
10 changes: 5 additions & 5 deletions ExampleGeoIP.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,11 @@ root@test-ag-haproxy-geoip:/# cat /etc/haproxy/conf.d/frontend.cfg
> http-request capture var(txn.geoip_asn) len 10
>
> # Security headers
> http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
> http-response set-header X-Frame-Options "DENY"
> http-response set-header X-Content-Type-Options "nosniff"
> http-response set-header X-Permitted-Cross-Domain-Policies "none"
> http-response set-header X-XSS-Protection "1; mode=block"
> http-response add-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if !{ res.hdr(Strict-Transport-Security) -m found }
> http-response add-header X-Frame-Options "SAMEORIGIN" if !{ res.hdr(X-Frame-Options) -m found }
> http-response add-header X-Content-Type-Options "nosniff" if !{ res.hdr(X-Content-Type-Options) -m found }
> http-response add-header X-Permitted-Cross-Domain-Policies "none" if !{ res.hdr(X-Permitted-Cross-Domain-Policies) -m found }
> http-response add-header X-XSS-Protection "1; mode=block" if !{ res.hdr(X-XSS-Protection) -m found }
>
> http-request capture req.fhdr(User-Agent) len 200
>
Expand Down
10 changes: 5 additions & 5 deletions ExampleWAF.md
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,11 @@ root@test-ag-haproxy-waf:/# cat /etc/haproxy/conf.d/frontend.cfg
> http-request capture var(txn.bot) len 1
>
> # Security headers
> http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
> http-response set-header X-Frame-Options "DENY"
> http-response set-header X-Content-Type-Options "nosniff"
> http-response set-header X-Permitted-Cross-Domain-Policies "none"
> http-response set-header X-XSS-Protection "1; mode=block"
> http-response add-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;" if !{ res.hdr(Strict-Transport-Security) -m found }
> http-response add-header X-Frame-Options "SAMEORIGIN" if !{ res.hdr(X-Frame-Options) -m found }
> http-response add-header X-Content-Type-Options "nosniff" if !{ res.hdr(X-Content-Type-Options) -m found }
> http-response add-header X-Permitted-Cross-Domain-Policies "none" if !{ res.hdr(X-Permitted-Cross-Domain-Policies) -m found }
> http-response add-header X-XSS-Protection "1; mode=block" if !{ res.hdr(X-XSS-Protection) -m found }
> # SSL fingerprint
> http-request lua.fingerprint_ja3n
> http-request capture var(txn.fingerprint_ssl) len 32
Expand Down
7 changes: 4 additions & 3 deletions defaults/main/1_main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ defaults_frontend:

flag_bots: false
flag_bots_lines: [] # additional checks you want to append; you could p.e. check if a cookie set by JS exists
# prepend 'http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } ' before your conditions
# is auto-prepended: 'http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } ' before your conditions

log:
user_agent: true
Expand Down Expand Up @@ -159,7 +159,7 @@ defaults_backend:

flag_bots: false
flag_bots_lines: [] # additional checks you want to append; you could p.e. check if a cookie set by JS exists
# prepend 'http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } ' before your conditions
# is auto-prepended: 'http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } ' before your conditions

# for health-checks see: https://www.haproxy.com/blog/how-to-enable-health-checks-in-haproxy
# more complex ones should be implemented by supplying the raw config-lines
Expand All @@ -169,9 +169,10 @@ defaults_backend:
check_uri:
check_expect:

# NOTE: if your application adds these response headers - they will not be overwritten
defaults_security_headers:
Strict-Transport-Security: 'max-age=16000000; includeSubDomains; preload;'
X-Frame-Options: 'DENY' # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-Frame-Options: 'SAMEORIGIN' # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-Content-Type-Options: 'nosniff' # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
X-Permitted-Cross-Domain-Policies: 'none'
X-XSS-Protection: '1; mode=block'
Expand Down
1 change: 1 addition & 0 deletions templates/etc/haproxy/conf.d/frontend.cfg.j2
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ frontend {{ name }}

{% endif %}
{% if cnf.mode == 'http' %}
http-request set-header X-Forwarded-For %[src]
{% include "inc/security.j2" %}
{% include "inc/security_only_fe.j2" %}

Expand Down
2 changes: 1 addition & 1 deletion templates/etc/haproxy/conf.d/inc/security.j2
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } !{ req.fhdr(User-Agent) -m found }

{% for line in cnf.security.flag_bots_lines %}
{{ line }}
http-request set-var(txn.bot) int(1) if !{ var(txn.bot) -m found } {{ line }}
{% endfor %}

http-request set-var(txn.bot) int(0) if !{ var(txn.bot) -m found }
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/haproxy/conf.d/inc/security_only_fe.j2
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{% if cnf.security.headers | bool %}
# Security headers
{% for header, value in defaults_security_headers.items() %}
http-response set-header {{ header }} "{{ value }}"
http-after-response add-header {{ header }} "{{ value }}" !{ res.hdr({{ header }}) -m found }
{% endfor %}
{% endif %}
{% if cnf.security.fingerprint_ssl | bool %}
Expand Down

0 comments on commit 5253e25

Please sign in to comment.