Re: how can I add an HTTP to prevent clickjacking to the stats page?
Hi Tim, You are right, I'm running an outdated version. There are plans to upgrade to the latest version soon. Thank you for the example, I learned something new today. Best regards, Cristian Grigoriu > On Jun 18, 2020, at 16:43, Tim Düsterhus wrote: > > Cristian, > > Am 18.06.20 um 15:20 schrieb Cristian Grigoriu: >> Thank you for your workaround, it works! >> >> Here's the output of my haproxy -vv command: >> >> HA-Proxy version 1.7.5-2 2017/05/17 > > You really should upgrade to HAProxy 1.7.12 at the very least: > http://www.haproxy.org/bugs/bugs-1.7.5.html > > Starting with the *upcoming* HAProxy 2.2 the following will work > (http-after-response instead of http-response): > > Config: > >frontend stats > mode http > bind *:8080 > stats enable > stats uri / > http-after-response set-header X-Frame-Options sameorigin > > Example: > >$ http --headers localhost:8080 >HTTP/1.1 200 OK >cache-control: no-cache >content-type: text/html >transfer-encoding: chunked >x-frame-options: sameorigin > > Best regards > Tim Düsterhus
Re: how can I add an HTTP to prevent clickjacking to the stats page?
Cristian, Am 18.06.20 um 15:20 schrieb Cristian Grigoriu: > Thank you for your workaround, it works! > > Here's the output of my haproxy -vv command: > > HA-Proxy version 1.7.5-2 2017/05/17 You really should upgrade to HAProxy 1.7.12 at the very least: http://www.haproxy.org/bugs/bugs-1.7.5.html Starting with the *upcoming* HAProxy 2.2 the following will work (http-after-response instead of http-response): Config: frontend stats mode http bind *:8080 stats enable stats uri / http-after-response set-header X-Frame-Options sameorigin Example: $ http --headers localhost:8080 HTTP/1.1 200 OK cache-control: no-cache content-type: text/html transfer-encoding: chunked x-frame-options: sameorigin Best regards Tim Düsterhus
Re: how can I add an HTTP to prevent clickjacking to the stats page?
Hi Jarno,
Thank you for your workaround, it works!
Here's the output of my haproxy -vv command:
HA-Proxy version 1.7.5-2 2017/05/17
Copyright 2000-2017 Willy Tarreau
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-2dHYaz/haproxy-1.7.5=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1
USE_PCRE=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e 16 Feb 2017
Running on OpenSSL version : OpenSSL 1.1.0j 20 Nov 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
Best regards,
Cristian Grigoriu
> On Jun 18, 2020, at 15:46, Jarno Huuskonen wrote:
>
> Hi,
>
> On Thu, 2020-06-18 at 10:06 +0300, Cristian Grigoriu wrote:
>> Hello everyone,
>>
>> The vulnerability scanner has flagged the stats page as being vulnerable
>> to clickjacking. I am trying to fix this, by publishing the stats on its
>> own frontend and add a header:
>>
>> frontend stats
>> bind 10.11.12.13:9000
>> stats enable
>> stats uri /stats
>> stats refresh 10s
>> #rspadd X-Frame-Options:\ SAMEORIGIN
>> http-response set-header X-Frame-Options sameorigin
>>
>> Neither rspadd nor http-response work, as no header is being added to the
>> response.
>>
>> Any pointer into the right direction is much appreciated.
>
> As a workaround chaining two proxies should add the required header:
>
> listen fakestats
>bind 10.11.12.13:9000
>http-response set-header X-Frame-Options
> sameorigin
>server realstat abns@statssrv
>
> frontend stats
>bind abns@statssrv
>stats enable
>stats uri /stats
>stats refresh 10s
>
> Can you share your haproxy -vv ? There could be a better way to do this.
>
> -Jarno
>
> --
> Jarno Huuskonen
Re: how can I add an HTTP to prevent clickjacking to the stats page?
Hi, On Thu, 2020-06-18 at 10:06 +0300, Cristian Grigoriu wrote: > Hello everyone, > > The vulnerability scanner has flagged the stats page as being vulnerable > to clickjacking. I am trying to fix this, by publishing the stats on its > own frontend and add a header: > > frontend stats > bind 10.11.12.13:9000 > stats enable > stats uri /stats > stats refresh 10s > #rspadd X-Frame-Options:\ SAMEORIGIN > http-response set-header X-Frame-Options sameorigin > > Neither rspadd nor http-response work, as no header is being added to the > response. > > Any pointer into the right direction is much appreciated. As a workaround chaining two proxies should add the required header: listen fakestats bind 10.11.12.13:9000 http-response set-header X-Frame-Options sameorigin server realstat abns@statssrv frontend stats bind abns@statssrv stats enable stats uri /stats stats refresh 10s Can you share your haproxy -vv ? There could be a better way to do this. -Jarno -- Jarno Huuskonen
Re: Conditional request logging ?
Mariusz, Am 18.06.20 um 12:59 schrieb Mariusz Gronczewski: > Is there a way to log requests that match the given ACL (and only that > ACL) ? I know I can capture headers by ACL but I can't seem to find any > way to do that for whole log entries. > Use http-response set-log-level silent. See: http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4.2-http-response%20set-log-level Best regards Tim Düsterhus
Conditional request logging ?
Hello, Is there a way to log requests that match the given ACL (and only that ACL) ? I know I can capture headers by ACL but I can't seem to find any way to do that for whole log entries. Cheers Mariusz
how can I add an HTTP to prevent clickjacking to the stats page?
Hello everyone, The vulnerability scanner has flagged the stats page as being vulnerable to clickjacking. I am trying to fix this, by publishing the stats on its own frontend and add a header: frontend stats bind 10.11.12.13:9000 stats enable stats uri /stats stats refresh 10s #rspadd X-Frame-Options:\ SAMEORIGIN http-response set-header X-Frame-Options sameorigin Neither rspadd nor http-response work, as no header is being added to the response. Any pointer into the right direction is much appreciated. Thank you, Cristian Grigoriu
