On 12/8/23 14:35, Ionel GARDAIS wrote:
Thanks Tristan.
So typically I’d say to add to every single http frontend:
> http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Host %[hdr(Host)]
http-request set-header X-Forwarded-Proto %[ssl_fc,iif(https,http)]
http-request set-header Forwarded
"by=${HOSTNAME};for=%[src];host=%[hdr(Host)];proto=%[ssl_fc,iif(https,http)]"|
Almost what I already did :)
What about using %[hdr(host,1)] to forcefully use the first Host header
if multiple headers are sent ?
What I have done:
In "defaults" I have:
option forwardfor except 127.0.0.1
In the https frontend, I have the following header-related options, in
this order:
http-request del-header [Ff]orwarded.+ -m reg
http-request del-header [Xx]-[Ff]orwarded.+ -m reg
http-request add-header Forwarded "by=\"${HOSTNAME}\"; for=\"%[src]\";
host=\"%[hdr(Host)]\"; proto=https"
http-request set-header X-H3 true if { so_name -i -m beg quic443 }
http-request set-header X-Scheme https
http-request set-header X-Forwarded-Scheme https
http-request set-header X-Forwarded-Port %fp
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-HTTPS true
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-SSL true
http-request set-header X-Haproxy-Current-Date %T
http-request set-header X-HTTPS on
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-after-response set-header Strict-Transport-Security
"max-age=16000000; includeSubDomains; preload;"
http-after-response add-header alt-svc 'h3=":443"; ma=7200'
Question for the group: Does that look like a good config? Should I be
doing something different?
Thanks,
Shawn
