Hi,
If I understand, the 301 is produced by haproxy. If it is the case,
there are an ugly soluce.
Haproxy can't add header to a redirect because redirect is a final
directive. After executing the redirect no more action are executed.
The trick is to create a listen proxy dedicated for redirect, and
modify the response of these proxy from the main proxy. If a dedicated
proxy produces the response, the main proxy considers this as forwarded
traffic and can add headers.
frontend main
acl acl_redirect <cond>
use-backend bck_redirect if acl_redirect
default_backend bck_main
backend bck_main
... normal processing ...
backend bck_redirect
http-response add-header Strict-Transport-Security foo-bar
server redirect-srv 127.0.0.1:9999 # unix socket is better that tcp/ip
over the loopback
listen redirect-srv
bind 127.0.0.1:9999
http-request redirect location ....
Note that is no not test this configuration, it is just for
illustrating the proposed soluce. I suppose that this configuration
contains many error and warnings.
Thierry
Strict-Transport-Security header into 301 redirect (http-request
redirect code 301) ?
On Sun, 26 Feb 2017 17:36:23 +0000
Andrew Smalley <[email protected]> wrote:
> Sorry, forgot to include the list.
>
> Please share your config so I can see what you are doing?
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 17:32, Bartek Radziszewski <[email protected]>
> wrote:
>
> > Andrew,
> >
> > Thanks for your answer. Just tested one more time your example and
> > unfortunately there is missing Strict-Transport-Security header during 301
> > redirect:
> >
> > curl -I https://xxx.com/dupa
> > HTTP/1.1 301 Moved Permanently
> > Content-length: 0
> > Location: https://www.xxx.com/dupa
> > Connection: close
> >
> > Bartek
> >
> >
> > On 26 Feb 2017, at 18:12, Andrew Smalley <[email protected]>
> > wrote:
> >
> > Hello Bartek
> >
> > I think the portion of my example you wanted is below
> >
> > In my example I have a redirect from http to https and as such there is a
> > acl force src if my local ip address
> >
> > Here I add the HSTS and then redirect 301 as you wanted.
> >
> > http-response set-header Strict-Transport-Security "max-age=15552000;
> > includeSubDomains; preload;"
> > acl force src 127.0.0.1 # ip of haproxy
> > reqadd X-Forwarded-Proto:\ https if force
> > redirect scheme https code 301 if !force
> >
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 26 February 2017 at 17:07, Bartek Radziszewski <[email protected]>
> > wrote:
> >
> >> it's haproxy related.
> >> How to add header info 301 redirect?
> >>
> >> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected]>
> >> wrote:
> >>
> >> Hello Bartek
> >>
> >> I assumed it was haproxy related and as such my example will work.
> >> However I hope the link below helps you get going with NGINX
> >>
> >> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
> >>
> >> Regards
> >>
> >> Andrew Smalley
> >>
> >> Loadbalancer.org <http://loadbalancer.org/> Ltd.
> >>
> >>
> >>
> >> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]>
> >> wrote:
> >>
> >>> Hi Andrew,
> >>> ‘
> >>> Thanks for your answer. Unfortunately your example is not solving my
> >>> issue.
> >>>
> >>> I need to add header Strict-Transport-Security into 301 redirect - i
> >>> made it already on nginx:
> >>>
> >>> curl -I https://www.xxx.com
> >>> HTTP/1.1 301 Moved Permanently
> >>> Server: nginx
> >>> Date: Sun, 26 Feb 2017 16:10:59 GMT
> >>> Content-Type: text/html
> >>> Content-Length: 178
> >>> Connection: keep-alive
> >>> Location: https://xxx.com/
> >>> Strict-Transport-Security: max-age=31556926; includeSubDomains
> >>>
> >>> but don’t know how to do it on haproxy.
> >>>
> >>> Thanks,
> >>> Bartek
> >>>
> >>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]>
> >>> wrote:
> >>>
> >>> Hello Bartek
> >>>
> >>> I hope the example below helps with adding a http-response for HSTS /
> >>> Strict-Transport-Security
> >>>
> >>>
> >>> listen hsts_example
> >>> bind 192.168.0.231:80 transparent
> >>> mode http
> >>> http-response set-header Strict-Transport-Security "max-age=15552000;
> >>> includeSubDomains; preload;"
> >>> balance leastconn
> >>> option forwardfor if-none
> >>> stick on hdr(X-Forwarded-For,-1)
> >>> stick on src
> >>> stick-table type string len 64 size 10240k expire 30m peers
> >>> loadbalancer_replication
> >>> server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
> >>> source 0.0.0.0 usesrc clientip
> >>> option http-keep-alive
> >>> option redispatch
> >>> option abortonclose
> >>> maxconn 40000
> >>> acl force src 192.168.0.250 54.77.60.1
> >>> reqadd X-Forwarded-Proto:\ https if force
> >>> redirect scheme https code 301 if !force
> >>> server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise
> >>> 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
> >>>
> >>>
> >>> Regards
> >>>
> >>> Andrew Smalley
> >>>
> >>> Loadbalancer.org <http://loadbalancer.org/> Ltd.
> >>>
> >>>
> >>>
> >>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> It’s possible to add Strict-Transport-Security header into 301 redirect
> >>>> (http-request redirect code 301) ?
> >>>>
> >>>> Thanks,
> >>>> Bartek
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
