Welcome! Log In Create A New Profile

Advanced

add header into http-request redirect

Posted by Bartek Radziszewski 
Bartek Radziszewski
add header into http-request redirect
February 26, 2017 05:30PM
Hi,

It’s possible to add Strict-Transport-Security header into 301 redirect (http-request redirect code 301) ?

Thanks,
Bartek
Andrew Smalley
Re: add header into http-request redirect
February 26, 2017 05:50PM
Hello Bartek

I hope the example below helps with adding a http-response for HSTS /
Strict-Transport-Security


listen hsts_example
    bind 192.168.0.231:80 transparent
    mode http
    http-response set-header Strict-Transport-Security
"max-age=15552000; includeSubDomains; preload;"
    balance leastconn
    option forwardfor if-none
    stick on hdr(X-Forwarded-For,-1)
    stick on src
    stick-table type string len 64 size 10240k expire 30m peers
loadbalancer_replication
    server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
    source 0.0.0.0 usesrc clientip
    option http-keep-alive
    option redispatch
    option abortonclose
    maxconn 40000
    acl force src 192.168.0.250 54.77.60.1
    reqadd X-Forwarded-Proto:\ https if force
    redirect scheme https code 301 if !force
    server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000
rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
wrote:

> Hi,
>
> It’s possible to add Strict-Transport-Security header into 301 redirect
> (http-request redirect code 301) ?
>
> Thanks,
> Bartek
>
Bartek Radziszewski
Re: add header into http-request redirect
February 26, 2017 05:50PM
Hi Andrew,

Thanks for your answer. Unfortunately your example is not solving my issue.

I need to add header Strict-Transport-Security into 301 redirect - i made it already on nginx:

curl -I https://www.xxx.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sun, 26 Feb 2017 16:10:59 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://xxx.com/
Strict-Transport-Security: max-age=31556926; includeSubDomains

but don’t know how to do it on haproxy.

Thanks,
Bartek

> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]> wrote:
>
> Hello Bartek
>
> I hope the example below helps with adding a http-response for HSTS / Strict-Transport-Security
>
>
> listen hsts_example
>     bind 192.168.0.231:80 transparent
>     mode http
>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>     balance leastconn
>     option forwardfor if-none
>     stick on hdr(X-Forwarded-For,-1)
>     stick on src
>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>     source 0.0.0.0 usesrc clientip
>     option http-keep-alive
>     option redispatch
>     option abortonclose
>     maxconn 40000
>     acl force src 192.168.0.250 54.77.60.1
>     reqadd X-Forwarded-Proto:\ https if force
>     redirect scheme https code 301 if !force
>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected] <mailto:[email protected]>> wrote:
> Hi,
>
> It’s possible to add Strict-Transport-Security header into 301 redirect (http-request redirect code 301) ?
>
> Thanks,
> Bartek
>
Andrew Smalley
Re: add header into http-request redirect
February 26, 2017 06:00PM
Hello Bartek

I assumed it was haproxy related and as such my example will work. However
I hope the link below helps you get going with NGINX

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]>
wrote:

> Hi Andrew,
> ‘
> Thanks for your answer. Unfortunately your example is not solving my issue.
>
> I need to add header Strict-Transport-Security into 301 redirect - i made
> it already on nginx:
>
> curl -I https://www.xxx.com
> HTTP/1.1 301 Moved Permanently
> Server: nginx
> Date: Sun, 26 Feb 2017 16:10:59 GMT
> Content-Type: text/html
> Content-Length: 178
> Connection: keep-alive
> Location: https://xxx.com/
> Strict-Transport-Security: max-age=31556926; includeSubDomains
>
> but don’t know how to do it on haproxy.
>
> Thanks,
> Bartek
>
> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]>
> wrote:
>
> Hello Bartek
>
> I hope the example below helps with adding a http-response for HSTS /
> Strict-Transport-Security
>
>
> listen hsts_example
>     bind 192.168.0.231:80 transparent
>     mode http
>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>     balance leastconn
>     option forwardfor if-none
>     stick on hdr(X-Forwarded-For,-1)
>     stick on src
>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>     source 0.0.0.0 usesrc clientip
>     option http-keep-alive
>     option redispatch
>     option abortonclose
>     maxconn 40000
>     acl force src 192.168.0.250 54.77.60.1
>     reqadd X-Forwarded-Proto:\ https if force
>     redirect scheme https code 301 if !force
>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
> wrote:
>
>> Hi,
>>
>> It’s possible to add Strict-Transport-Security header into 301 redirect
>> (http-request redirect code 301) ?
>>
>> Thanks,
>> Bartek
>>
>
>
>
Bartek Radziszewski
Re: add header into http-request redirect
February 26, 2017 06:10PM
it's haproxy related.
How to add header info 301 redirect?

> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected]> wrote:
>
> Hello Bartek
>
> I assumed it was haproxy related and as such my example will work. However I hope the link below helps you get going with NGINX
>
> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
>> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]> wrote:
>> Hi Andrew,
>> ‘
>> Thanks for your answer. Unfortunately your example is not solving my issue.
>>
>> I need to add header Strict-Transport-Security into 301 redirect - i made it already on nginx:
>>
>> curl -I https://www.xxx.com
>> HTTP/1.1 301 Moved Permanently
>> Server: nginx
>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>> Content-Type: text/html
>> Content-Length: 178
>> Connection: keep-alive
>> Location: https://xxx.com/
>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>
>> but don’t know how to do it on haproxy.
>>
>> Thanks,
>> Bartek
>>
>>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]> wrote:
>>>
>>> Hello Bartek
>>>
>>> I hope the example below helps with adding a http-response for HSTS / Strict-Transport-Security
>>>
>>>
>>> listen hsts_example
>>>     bind 192.168.0.231:80 transparent
>>>     mode http
>>>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>>>     balance leastconn
>>>     option forwardfor if-none
>>>     stick on hdr(X-Forwarded-For,-1)
>>>     stick on src
>>>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>>>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>>>     source 0.0.0.0 usesrc clientip
>>>     option http-keep-alive
>>>     option redispatch
>>>     option abortonclose
>>>     maxconn 40000
>>>     acl force src 192.168.0.250 54.77.60..1
>>>     reqadd X-Forwarded-Proto:\ https if force
>>>     redirect scheme https code 301 if !force
>>>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>>>
>>> Regards
>>>
>>> Andrew Smalley
>>>
>>> Loadbalancer.org Ltd.
>>>
>>>
>>>
>>>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]> wrote:
>>>> Hi,
>>>>
>>>> It’s possible to add Strict-Transport-Security header into 301 redirect (http-request redirect code 301) ?
>>>>
>>>> Thanks,
>>>> Bartek
>>>
>>
>
Andrew Smalley
Re: add header into http-request redirect
February 26, 2017 06:20PM
Hello Bartek

I think the portion of my example you wanted is below

In my example I have a redirect from http to https and as such there is a
acl force src if my local ip address

Here I add the HSTS and then redirect 301 as you wanted.

    http-response set-header Strict-Transport-Security
"max-age=15552000; includeSubDomains; preload;"
    acl force src 127.0.0.1 # ip of haproxy
    reqadd X-Forwarded-Proto:\ https if force
    redirect scheme https code 301 if !force


Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:07, Bartek Radziszewski <[email protected]>
wrote:

> it's haproxy related.
> How to add header info 301 redirect?
>
> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected]>
> wrote:
>
> Hello Bartek
>
> I assumed it was haproxy related and as such my example will work. However
> I hope the link below helps you get going with NGINX
>
> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]>
> wrote:
>
>> Hi Andrew,
>> ‘
>> Thanks for your answer. Unfortunately your example is not solving my
>> issue.
>>
>> I need to add header Strict-Transport-Security into 301 redirect - i
>> made it already on nginx:
>>
>> curl -I https://www.xxx.com
>> HTTP/1.1 301 Moved Permanently
>> Server: nginx
>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>> Content-Type: text/html
>> Content-Length: 178
>> Connection: keep-alive
>> Location: https://xxx.com/
>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>
>> but don’t know how to do it on haproxy.
>>
>> Thanks,
>> Bartek
>>
>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]>
>> wrote:
>>
>> Hello Bartek
>>
>> I hope the example below helps with adding a http-response for HSTS /
>> Strict-Transport-Security
>>
>>
>> listen hsts_example
>>     bind 192.168.0.231:80 transparent
>>     mode http
>>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>>     balance leastconn
>>     option forwardfor if-none
>>     stick on hdr(X-Forwarded-For,-1)
>>     stick on src
>>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>>     source 0.0.0.0 usesrc clientip
>>     option http-keep-alive
>>     option redispatch
>>     option abortonclose
>>     maxconn 40000
>>     acl force src 192.168.0.250 54.77.60..1
>>     reqadd X-Forwarded-Proto:\ https if force
>>     redirect scheme https code 301 if !force
>>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>>
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org Ltd.
>>
>>
>>
>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>> It’s possible to add Strict-Transport-Security header into 301 redirect
>>> (http-request redirect code 301) ?
>>>
>>> Thanks,
>>> Bartek
>>>
>>
>>
>>
>
Bartek Radziszewski
Re: add header into http-request redirect
February 26, 2017 06:40PM
Andrew,

Thanks for your answer. Just tested one more time your example and unfortunately there is missing Strict-Transport-Security header during 301 redirect:

curl -I https://xxx.com/dupa
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://www.xxx.com/dupa
Connection: close

Bartek


> On 26 Feb 2017, at 18:12, Andrew Smalley <[email protected]> wrote:
>
> Hello Bartek
>
> I think the portion of my example you wanted is below
>
> In my example I have a redirect from http to https and as such there is a acl force src if my local ip address
>
> Here I add the HSTS and then redirect 301 as you wanted.
>
>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>     acl force src 127.0.0.1 # ip of haproxy
>     reqadd X-Forwarded-Proto:\ https if force
>     redirect scheme https code 301 if !force
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 17:07, Bartek Radziszewski <[email protected] <mailto:[email protected]>> wrote:
> it's haproxy related.
> How to add header info 301 redirect?
>
> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected] <mailto:[email protected]>> wrote:
>
>> Hello Bartek
>>
>> I assumed it was haproxy related and as such my example will work. However I hope the link below helps you get going with NGINX
>>
>> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org http://loadbalancer.org/ Ltd.
>>
>>
>>
>> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected] <mailto:[email protected]>> wrote:
>> Hi Andrew,
>> ‘
>> Thanks for your answer. Unfortunately your example is not solving my issue.
>>
>> I need to add header Strict-Transport-Security into 301 redirect - i made it already on nginx:
>>
>> curl -I https://www.xxx.com https://www.xxx.com/
>> HTTP/1.1 301 Moved Permanently
>> Server: nginx
>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>> Content-Type: text/html
>> Content-Length: 178
>> Connection: keep-alive
>> Location: https://xxx.com/ https://xxx.com/
>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>
>> but don’t know how to do it on haproxy.
>>
>> Thanks,
>> Bartek
>>
>>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> Hello Bartek
>>>
>>> I hope the example below helps with adding a http-response for HSTS / Strict-Transport-Security
>>>
>>>
>>> listen hsts_example
>>>     bind 192.168.0.231:80 transparent
>>>     mode http
>>>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>>>     balance leastconn
>>>     option forwardfor if-none
>>>     stick on hdr(X-Forwarded-For,-1)
>>>     stick on src
>>>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>>>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>>>     source 0.0.0.0 usesrc clientip
>>>     option http-keep-alive
>>>     option redispatch
>>>     option abortonclose
>>>     maxconn 40000
>>>     acl force src 192.168.0.250 54.77.60.1
>>>     reqadd X-Forwarded-Proto:\ https if force
>>>     redirect scheme https code 301 if !force
>>>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>>>
>>> Regards
>>>
>>> Andrew Smalley
>>>
>>> Loadbalancer.org http://loadbalancer.org/ Ltd.
>>>
>>>
>>>
>>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected] <mailto:[email protected]>> wrote:
>>> Hi,
>>>
>>> It’s possible to add Strict-Transport-Security header into 301 redirect (http-request redirect code 301) ?
>>>
>>> Thanks,
>>> Bartek
>>>
>>
>>
>
Andrew Smalley
Re: add header into http-request redirect
February 26, 2017 06:40PM
Sorry, forgot to include the list.

Please share your config so I can see what you are doing?

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:32, Bartek Radziszewski <[email protected]>
wrote:

> Andrew,
>
> Thanks for your answer. Just tested one more time your example and
> unfortunately there is missing Strict-Transport-Security header during 301
> redirect:
>
> curl -I https://xxx.com/dupa
> HTTP/1.1 301 Moved Permanently
> Content-length: 0
> Location: https://www.xxx.com/dupa
> Connection: close
>
> Bartek
>
>
> On 26 Feb 2017, at 18:12, Andrew Smalley <[email protected]>
> wrote:
>
> Hello Bartek
>
> I think the portion of my example you wanted is below
>
> In my example I have a redirect from http to https and as such there is a
> acl force src if my local ip address
>
> Here I add the HSTS and then redirect 301 as you wanted.
>
>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>     acl force src 127.0.0.1 # ip of haproxy
>     reqadd X-Forwarded-Proto:\ https if force
>     redirect scheme https code 301 if !force
>
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 17:07, Bartek Radziszewski <[email protected]>
> wrote:
>
>> it's haproxy related.
>> How to add header info 301 redirect?
>>
>> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected]>
>> wrote:
>>
>> Hello Bartek
>>
>> I assumed it was haproxy related and as such my example will work.
>> However I hope the link below helps you get going with NGINX
>>
>> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
>>
>> Regards
>>
>> Andrew Smalley
>>
>> Loadbalancer.org http://loadbalancer.org/ Ltd.
>>
>>
>>
>> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]>
>> wrote:
>>
>>> Hi Andrew,
>>> ‘
>>> Thanks for your answer. Unfortunately your example is not solving my
>>> issue.
>>>
>>> I need to add header Strict-Transport-Security into 301 redirect - i
>>> made it already on nginx:
>>>
>>> curl -I https://www.xxx.com
>>> HTTP/1.1 301 Moved Permanently
>>> Server: nginx
>>> Date: Sun, 26 Feb 2017 16:10:59 GMT
>>> Content-Type: text/html
>>> Content-Length: 178
>>> Connection: keep-alive
>>> Location: https://xxx.com/
>>> Strict-Transport-Security: max-age=31556926; includeSubDomains
>>>
>>> but don’t know how to do it on haproxy.
>>>
>>> Thanks,
>>> Bartek
>>>
>>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]>
>>> wrote:
>>>
>>> Hello Bartek
>>>
>>> I hope the example below helps with adding a http-response for HSTS /
>>> Strict-Transport-Security
>>>
>>>
>>> listen hsts_example
>>>     bind 192.168.0.231:80 transparent
>>>     mode http
>>>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>>>     balance leastconn
>>>     option forwardfor if-none
>>>     stick on hdr(X-Forwarded-For,-1)
>>>     stick on src
>>>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
>>>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
>>>     source 0.0.0.0 usesrc clientip
>>>     option http-keep-alive
>>>     option redispatch
>>>     option abortonclose
>>>     maxconn 40000
>>>     acl force src 192.168.0.250 54.77.60.1
>>>     reqadd X-Forwarded-Proto:\ https if force
>>>     redirect scheme https code 301 if !force
>>>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
>>>
>>>
>>> Regards
>>>
>>> Andrew Smalley
>>>
>>> Loadbalancer.org http://loadbalancer.org/ Ltd.
>>>
>>>
>>>
>>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> It’s possible to add Strict-Transport-Security header into 301 redirect
>>>> (http-request redirect code 301) ?
>>>>
>>>> Thanks,
>>>> Bartek
>>>>
>>>
>>>
>>>
>>
>
>
Michael Ezzell
Re: add header into http-request redirect
February 26, 2017 06:50PM
On Feb 26, 2017 12:14, "Andrew Smalley" <[email protected]> wrote:

Hello Bartek

I think the portion of my example you wanted is below

In my example I have a redirect from http to https and as such there is a
acl force src if my local ip address

Here I add the HSTS and then redirect 301 as you wanted.

    http-response set-header Strict-Transport-Security
"max-age=15552000; includeSubDomains; preload;"


Andrew, I don't think http-response <anything> is going to be processed
when the request results in a redirect generated internally by HAProxy...
is it? The response isn't really from a back-end, so I wouldn't expect
those rules to fire.
Andrew Smalley
Re: add header into http-request redirect
February 26, 2017 07:10PM
I did it again, Sometimes I blame my tools but I wish google would reply to
all, all the time - Apologies Michael

Hello Bartek, Michael,

Actually on further reading what you are trying to do is incorrect
according to the URL at the end of my reply.

It's not possible for any browser that has ever seen the redirect. It is
cached indefinitely. A 301 redirect should only be used when you are
retiring a site permanently, and even then it's a bad idea - you loose
visibility of the traffic still hitting the old site.

The link suggests this "So change it to a 302 redirect before you do
anything else."

Haproxy is not a webserver. It has no means to generate a header contains
dynamic data - if you really want a date header, use a webserver. There are
several lightweight ones capable of this task.

Alternatively tell us why you *need* such a header and we might be able to
advise on a more apposite solution.


http://serverfault.com/questions/671916/inject-header-in-haproxy-redirect-
function

Regards

Andrew Smalley

Loadbalancer.org Ltd.



On 26 February 2017 at 17:45, Michael Ezzell <[email protected]> wrote:

>
>
> On Feb 26, 2017 12:14, "Andrew Smalley" <[email protected]> wrote:
>
> Hello Bartek
>
> I think the portion of my example you wanted is below
>
> In my example I have a redirect from http to https and as such there is a
> acl force src if my local ip address
>
> Here I add the HSTS and then redirect 301 as you wanted.
>
>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
>
>
> Andrew, I don't think http-response <anything> is going to be processed
> when the request results in a redirect generated internally by HAProxy...
> is it? The response isn't really from a back-end, so I wouldn't expect
> those rules to fire.
>
Anonymous User
Re: add header into http-request redirect
February 26, 2017 07:10PM
Hi,

If I understand, the 301 is produced by haproxy. If it is the case,
there are an ugly soluce.

Haproxy can't add header to a redirect because redirect is a final
directive. After executing the redirect no more action are executed.

The trick is to create a listen proxy dedicated for redirect, and
modify the response of these proxy from the main proxy. If a dedicated
proxy produces the response, the main proxy considers this as forwarded
traffic and can add headers.

frontend main
acl acl_redirect <cond>
use-backend bck_redirect if acl_redirect
default_backend bck_main

backend bck_main
... normal processing ...

backend bck_redirect
http-response add-header Strict-Transport-Security foo-bar
server redirect-srv 127.0.0.1:9999 # unix socket is better that tcp/ip over the loopback

listen redirect-srv
bind 127.0.0.1:9999
http-request redirect location ....


Note that is no not test this configuration, it is just for
illustrating the proposed soluce. I suppose that this configuration
contains many error and warnings.

Thierry



Strict-Transport-Security header into 301 redirect (http-request
redirect code 301) ?


On Sun, 26 Feb 2017 17:36:23 +0000
Andrew Smalley <[email protected]> wrote:

> Sorry, forgot to include the list.
>
> Please share your config so I can see what you are doing?
>
> Regards
>
> Andrew Smalley
>
> Loadbalancer.org Ltd.
>
>
>
> On 26 February 2017 at 17:32, Bartek Radziszewski <[email protected]>
> wrote:
>
> > Andrew,
> >
> > Thanks for your answer. Just tested one more time your example and
> > unfortunately there is missing Strict-Transport-Security header during 301
> > redirect:
> >
> > curl -I https://xxx.com/dupa
> > HTTP/1.1 301 Moved Permanently
> > Content-length: 0
> > Location: https://www.xxx.com/dupa
> > Connection: close
> >
> > Bartek
> >
> >
> > On 26 Feb 2017, at 18:12, Andrew Smalley <[email protected]>
> > wrote:
> >
> > Hello Bartek
> >
> > I think the portion of my example you wanted is below
> >
> > In my example I have a redirect from http to https and as such there is a
> > acl force src if my local ip address
> >
> > Here I add the HSTS and then redirect 301 as you wanted.
> >
> >     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
> >     acl force src 127.0.0.1 # ip of haproxy
> >     reqadd X-Forwarded-Proto:\ https if force
> >     redirect scheme https code 301 if !force
> >
> >
> > Regards
> >
> > Andrew Smalley
> >
> > Loadbalancer.org Ltd.
> >
> >
> >
> > On 26 February 2017 at 17:07, Bartek Radziszewski <[email protected]>
> > wrote:
> >
> >> it's haproxy related.
> >> How to add header info 301 redirect?
> >>
> >> On 26 Feb 2017, at 17:54, Andrew Smalley <[email protected]>
> >> wrote:
> >>
> >> Hello Bartek
> >>
> >> I assumed it was haproxy related and as such my example will work.
> >> However I hope the link below helps you get going with NGINX
> >>
> >> https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
> >>
> >> Regards
> >>
> >> Andrew Smalley
> >>
> >> Loadbalancer.org http://loadbalancer.org/ Ltd.
> >>
> >>
> >>
> >> On 26 February 2017 at 16:47, Bartek Radziszewski <[email protected]>
> >> wrote:
> >>
> >>> Hi Andrew,
> >>> ‘
> >>> Thanks for your answer. Unfortunately your example is not solving my
> >>> issue.
> >>>
> >>> I need to add header Strict-Transport-Security into 301 redirect - i
> >>> made it already on nginx:
> >>>
> >>> curl -I https://www.xxx.com
> >>> HTTP/1.1 301 Moved Permanently
> >>> Server: nginx
> >>> Date: Sun, 26 Feb 2017 16:10:59 GMT
> >>> Content-Type: text/html
> >>> Content-Length: 178
> >>> Connection: keep-alive
> >>> Location: https://xxx.com/
> >>> Strict-Transport-Security: max-age=31556926; includeSubDomains
> >>>
> >>> but don’t know how to do it on haproxy.
> >>>
> >>> Thanks,
> >>> Bartek
> >>>
> >>> On 26 Feb 2017, at 17:39, Andrew Smalley <[email protected]>
> >>> wrote:
> >>>
> >>> Hello Bartek
> >>>
> >>> I hope the example below helps with adding a http-response for HSTS /
> >>> Strict-Transport-Security
> >>>
> >>>
> >>> listen hsts_example
> >>>     bind 192.168.0.231:80 transparent
> >>>     mode http
> >>>     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"
> >>>     balance leastconn
> >>>     option forwardfor if-none
> >>>     stick on hdr(X-Forwarded-For,-1)
> >>>     stick on src
> >>>     stick-table type string len 64 size 10240k expire 30m peers loadbalancer_replication
> >>>     server backup 127.0.0.1:9081 backup source 0.0.0.0 non-stick
> >>>     source 0.0.0.0 usesrc clientip
> >>>     option http-keep-alive
> >>>     option redispatch
> >>>     option abortonclose
> >>>     maxconn 40000
> >>>     acl force src 192.168.0.250 54.77.60.1
> >>>     reqadd X-Forwarded-Proto:\ https if force
> >>>     redirect scheme https code 301 if !force
> >>>     server RIP_Name 10.0.1.1 weight 100 check port 80 inter 4000 rise 2 fall 2 minconn 0 maxconn 0 on-marked-down shutdown-sessions
> >>>
> >>>
> >>> Regards
> >>>
> >>> Andrew Smalley
> >>>
> >>> Loadbalancer.org http://loadbalancer.org/ Ltd.
> >>>
> >>>
> >>>
> >>> On 26 February 2017 at 16:18, Bartek Radziszewski <[email protected]>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> It’s possible to add Strict-Transport-Security header into 301 redirect
> >>>> (http-request redirect code 301) ?
> >>>>
> >>>> Thanks,
> >>>> Bartek
> >>>>
> >>>
> >>>
> >>>
> >>
> >
> >
Lukas Tribus
Re: add header into http-request redirect
February 26, 2017 08:00PM
Hi,


Am 26.02.2017 um 19:02 schrieb thierry.fournier@arpalert.org:
> Hi,
>
> If I understand, the 301 is produced by haproxy. If it is the case,
> there are an ugly soluce.
>
> Haproxy can't add header to a redirect because redirect is a final
> directive. After executing the redirect no more action are executed.
>
> The trick is to create a listen proxy dedicated for redirect, and
> modify the response of these proxy from the main proxy. If a dedicated
> proxy produces the response, the main proxy considers this as forwarded
> traffic and can add headers.

Also see:
http://blog.haproxy.com/2015/06/09/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/


Lukas
Igor Cicimov
Re: add header into http-request redirect
February 26, 2017 11:30PM
Hi Lukas,

On 27 Feb 2017 5:53 am, "Lukas Tribus" <[email protected]> wrote:

Hi,



Am 26.02.2017 um 19:02 schrieb thierry.fournier@arpalert.org:

> Hi,
>
> If I understand, the 301 is produced by haproxy. If it is the case,
> there are an ugly soluce.
>
> Haproxy can't add header to a redirect because redirect is a final
> directive. After executing the redirect no more action are executed.
>
> The trick is to create a listen proxy dedicated for redirect, and
> modify the response of these proxy from the main proxy. If a dedicated
> proxy produces the response, the main proxy considers this as forwarded
> traffic and can add headers.
>

Also see:
http://blog.haproxy.com/2015/06/09/haproxy-and-http-strict-t
ransport-security-hsts-header-in-http-redirects/


Lukas

Maybe I'm stupid but in the example from the link you sent:

frontend fe_myapp
bind :443 ssl crt /path/to/my/cert.pem
bind :80
use_backend be_dummy if !{ ssl_fc }
default_backend be_myapp

backend be_myapp
http-response set-header Strict-Transport-Security max-age=16000000;\
includeSubDomains;\ preload;
server s1 10.0.0.1:80

be_dummy
server haproxy_fe_dummy_ssl_redirect 127.0.0.1:8000

frontend fe_dummy
bind 127.0.0.1:8000
http-request redirect scheme https

I don't see how is the hsts header being inserted in the redirect?
Igor Cicimov
Re: add header into http-request redirect
February 26, 2017 11:30PM
On 27 Feb 2017 9:19 am, "Igor Cicimov" <[email protected]>
wrote:

Hi Lukas,

On 27 Feb 2017 5:53 am, "Lukas Tribus" <[email protected]> wrote:

Hi,



Am 26.02.2017 um 19:02 schrieb thierry.fournier@arpalert.org:

> Hi,
>
> If I understand, the 301 is produced by haproxy. If it is the case,
> there are an ugly soluce.
>
> Haproxy can't add header to a redirect because redirect is a final
> directive. After executing the redirect no more action are executed.
>
> The trick is to create a listen proxy dedicated for redirect, and
> modify the response of these proxy from the main proxy. If a dedicated
> proxy produces the response, the main proxy considers this as forwarded
> traffic and can add headers.
>

Also see:
http://blog.haproxy.com/2015/06/09/haproxy-and-http-strict-t
ransport-security-hsts-header-in-http-redirects/


Lukas

Maybe I'm stupid but in the example from the link you sent:

frontend fe_myapp
bind :443 ssl crt /path/to/my/cert.pem
bind :80
use_backend be_dummy if !{ ssl_fc }
default_backend be_myapp

backend be_myapp
http-response set-header Strict-Transport-Security max-age=16000000;\
includeSubDomains;\ preload;
server s1 10.0.0.1:80

be_dummy
server haproxy_fe_dummy_ssl_redirect 127.0.0.1:8000

frontend fe_dummy
bind 127.0.0.1:8000
http-request redirect scheme https

I don't see how is the hsts header being inserted in the redirect?

Except if the purpose was to point to the fact that hsts in http response
is going to be ignored...
Lukas Tribus
Re: add header into http-request redirect
February 27, 2017 01:30AM
Hi Igor,


Am 26.02.2017 um 23:19 schrieb Igor Cicimov:
>
> |I don't see how is the hsts header being inserted in the redirect?|
> ||

You right, it doesn't. May bad, I didn't read the article properly.

However the example in the email from Thierry should do the trick; I
thought the article does the same.



Regards,

Lukas
Willy Tarreau
Re: add header into http-request redirect
February 28, 2017 08:00AM
Hi Thierry,

On Sun, Feb 26, 2017 at 07:02:52PM +0100, thierry.fournier@arpalert.org wrote:
> Haproxy can't add header to a redirect because redirect is a final
> directive. After executing the redirect no more action are executed.

We really need to think about it for the short term future because it's
not the first time we need this. Having a few "header" directives on
the "redirect" rules could help, but I already expect that everyone
will want these ones to support dynamic log-formats etc...

In the mean time I think there is an alternate even uglier trick but
I have not tested it :

http-request redirect location "https://blah..\r\nStrict-Transport-Security: foobar"

The idea is that the string presented in "location" will be copy-pasted
as-is in the Location header, so I guess that if it contains a CRLF it
will be appended as is. Yes I know it's ugly and it would be better to
support more flexible responses.

Cheers,
Willy
Tim Düsterhus
Re: add header into http-request redirect
March 13, 2018 12:50AM
Willy,

I'd like to bring this issue to your attention again, possibly you are
able to find a solution for haproxy 1.9?

This issue prevents me from submitting one domain to the HSTS preload
list, as I need to perform a redirect on the zone's apex and that
redirect does not include the HSTS header.

Best regards
Tim Düsterhus

Mailing list link of the quoted mail:
https://www.mail-archive.com/[email protected]/msg25061.html

Am 28.02.2017 um 07:49 schrieb Willy Tarreau:
> On Sun, Feb 26, 2017 at 07:02:52PM +0100, thierry.fournier@arpalert.org wrote:
>> Haproxy can't add header to a redirect because redirect is a final
>> directive. After executing the redirect no more action are executed.
>
> We really need to think about it for the short term future because it's
> not the first time we need this. Having a few "header" directives on
> the "redirect" rules could help, but I already expect that everyone
> will want these ones to support dynamic log-formats etc...
>
> In the mean time I think there is an alternate even uglier trick but
> I have not tested it :
>
> http-request redirect location "https://blah..\r\nStrict-Transport-Security: foobar"
>
> The idea is that the string presented in "location" will be copy-pasted
> as-is in the Location header, so I guess that if it contains a CRLF it
> will be appended as is. Yes I know it's ugly and it would be better to
> support more flexible responses.
>
> Cheers,
> Willy
>
Willy Tarreau
Re: add header into http-request redirect
March 19, 2018 12:00PM
Hi Tim,

On Tue, Mar 13, 2018 at 12:37:44AM +0100, Tim Düsterhus wrote:
> Willy,
>
> I'd like to bring this issue to your attention again, possibly you are
> able to find a solution for haproxy 1.9?

I hope so, but we'll need to be sure that someone is assigned to this,
otherwise I'll keep being busy with other stuff.

> This issue prevents me from submitting one domain to the HSTS preload
> list, as I need to perform a redirect on the zone's apex and that
> redirect does not include the HSTS header.

I *suspect* that in the end we could simply add a series of "header"
statements to the redirect rules. These ones would be followed by a
log-format expression making it possible to send various elements in
these response. But if it's mainly needed for HSTS, probably that in
the end we could be fine with (at least initially) adding a single
"header" directive. We'd then have :

http-request redirect location "/foo" header x-my-header "my-expression"

Just my two cents,
Willy
Tim Düsterhus
Re: add header into http-request redirect
March 19, 2018 09:50PM
Willy,

Am 19.03.2018 um 11:54 schrieb Willy Tarreau:
>> This issue prevents me from submitting one domain to the HSTS preload
>> list, as I need to perform a redirect on the zone's apex and that
>> redirect does not include the HSTS header.
>
> I *suspect* that in the end we could simply add a series of "header"
> statements to the redirect rules. These ones would be followed by a
> log-format expression making it possible to send various elements in
> these response. But if it's mainly needed for HSTS, probably that in
> the end we could be fine with (at least initially) adding a single
> "header" directive. We'd then have :
>
> http-request redirect location "/foo" header x-my-header "my-expression"
>

HSTS probably is the most important one. Personally I also add the
unique-id-header to the responses to be able to correlate them to my logs:

> unique-id-header X-Req-ID
> http-response set-header X-Req-ID %[unique-id]

It would be good to have them in the redirect responses (but not really
critical).
As a side question: Why do I have to do unique-id-header, instead of
http-request set-header for the unique request ID? And why can't I
capture it with capture (request|response) header but instead have to
plug into manually into the log format? This feels inconsistent.

-----

I don't really like the duplication of configuration, though. This would
be introducing a special case where really no special case should be
needed and would require me to update headers in two places. But I'm
also not deep enough in haproxy's internals to know how hard it would be
treating the `redirect` like a regular backend response and applying the
regular http-response logic there.

Best regards
Tim Düsterhus
Willy Tarreau
Re: add header into http-request redirect
March 19, 2018 10:00PM
On Mon, Mar 19, 2018 at 09:40:01PM +0100, Tim Düsterhus wrote:
> As a side question: Why do I have to do unique-id-header, instead of
> http-request set-header for the unique request ID? And why can't I
> capture it with capture (request|response) header but instead have to
> plug into manually into the log format? This feels inconsistent.

Simply because unique-id was created many years before the extensible
log-format ou know today existed, and that apparently nobody felt the
need to port it. It may be as simple as creating a few sample fetches,
I don't know.

> I don't really like the duplication of configuration, though. This would
> be introducing a special case where really no special case should be
> needed and would require me to update headers in two places. But I'm
> also not deep enough in haproxy's internals to know how hard it would be
> treating the `redirect` like a regular backend response and applying the
> regular http-response logic there.

I really think it's where we need to invest more thoughts. At least you
provided two use cases and that shows that a single header directive
might not be enough, and that HSTS definitely isn't a special case at
all.

Cheers,
Willy
Tim Düsterhus
Re: add header into http-request redirect
March 19, 2018 10:10PM
Willy,

Am 19.03.2018 um 21:47 schrieb Willy Tarreau:
> Simply because unique-id was created many years before the extensible
> log-format ou know today existed, and that apparently nobody felt the
> need to port it. It may be as simple as creating a few sample fetches,
> I don't know.

This was more of a rhetorical question. It looks like that the unique ID
is handled somewhat differently in the processing (just like the
redirects are). I mentioned it because it possibly is related. Here's an
example configuration:

> global
> stats timeout 30s
>
> defaults
> log global
> timeout connect 5s
> timeout client 50s
> timeout server 50s
> unique-id-format %{+X}o\ REQ-%Ts%rt
>
> frontend fe_http
> mode http
>
> bind :::8080 v4v6
>
> unique-id-header X-Req-ID1
> http-request set-header X-Req-ID2 %ID
> http-response set-header X-Req-ID %ID
>
> use_backend bk_example
>
> backend bk_example
> mode http
>
> http-request set-header Host postb.in
> server example postb.in:80

I feel like X-Req-ID1 and X-Req-ID2 should have the same value for the
upstream service, yet X-Req-ID2 is *empty* for `http-request set-header`
and works fine for `http-response set-header`. This does not look like
missing fetches, but rather like the ID being generated *after*
http-request set-header already has been processed.

> I really think it's where we need to invest more thoughts. At least you
> provided two use cases and that shows that a single header directive
> might not be enough, and that HSTS definitely isn't a special case at
> all.
>

Here's two more that came into my mind:

- Expect-CT
- Public-Key-Pins (a.k.a. HPKP)

Both are deeply related to HSTS due do being TLS security headers. The
latter is being deprecated by the browsers, because of footgun issues,
though. The former is fairly new.

Best regards
Tim Düsterhus
Willy Tarreau
Re: add header into http-request redirect
March 19, 2018 10:20PM
On Mon, Mar 19, 2018 at 10:04:25PM +0100, Tim Düsterhus wrote:
> Willy,
>
> Am 19.03.2018 um 21:47 schrieb Willy Tarreau:
> > Simply because unique-id was created many years before the extensible
> > log-format ou know today existed, and that apparently nobody felt the
> > need to port it. It may be as simple as creating a few sample fetches,
> > I don't know.
>
> This was more of a rhetorical question. It looks like that the unique ID
> is handled somewhat differently in the processing (just like the
> redirects are). I mentioned it because it possibly is related. Here's an
> example configuration:
>
> > global
> > stats timeout 30s
> >
> > defaults
> > log global
> > timeout connect 5s
> > timeout client 50s
> > timeout server 50s
> > unique-id-format %{+X}o\ REQ-%Ts%rt
> >
> > frontend fe_http
> > mode http
> >
> > bind :::8080 v4v6
> >
> > unique-id-header X-Req-ID1
> > http-request set-header X-Req-ID2 %ID
> > http-response set-header X-Req-ID %ID
> >
> > use_backend bk_example
> >
> > backend bk_example
> > mode http
> >
> > http-request set-header Host postb.in
> > server example postb.in:80
>
> I feel like X-Req-ID1 and X-Req-ID2 should have the same value for the
> upstream service, yet X-Req-ID2 is *empty* for `http-request set-header`
> and works fine for `http-response set-header`. This does not look like
> missing fetches, but rather like the ID being generated *after*
> http-request set-header already has been processed.

Looks like it indeed. By then there was no "http-request" ruleset
either. Maybe we could move it to a place where it's generated
earlier, or maybe we could ensure that it's computed on the fly
when the associated sample fetch function is called for %ID (I
didn't remember it was available like this).

> > I really think it's where we need to invest more thoughts. At least you
> > provided two use cases and that shows that a single header directive
> > might not be enough, and that HSTS definitely isn't a special case at
> > all.
> >
>
> Here's two more that came into my mind:
>
> - Expect-CT
> - Public-Key-Pins (a.k.a. HPKP)
>
> Both are deeply related to HSTS due do being TLS security headers. The
> latter is being deprecated by the browsers, because of footgun issues,
> though. The former is fairly new.

Yes it's still a draft (unless I missed the announce).

Thanks for your inputs.

Willy
Tim Düsterhus
Re: add header into http-request redirect
March 19, 2018 10:30PM
Willy,

Am 19.03.2018 um 22:15 schrieb Willy Tarreau:
> Looks like it indeed. By then there was no "http-request" ruleset
> either. Maybe we could move it to a place where it's generated
> earlier, or maybe we could ensure that it's computed on the fly
> when the associated sample fetch function is called for %ID (I
> didn't remember it was available like this).

Is there some specific place I should file this "bug" report or is my
email sufficient for you to keep track of?

>>
>> Here's two more that came into my mind:
>>
>> - Expect-CT
>> - Public-Key-Pins (a.k.a. HPKP)
>>
>> Both are deeply related to HSTS due do being TLS security headers. The
>> latter is being deprecated by the browsers, because of footgun issues,
>> though. The former is fairly new.
>
> Yes it's still a draft (unless I missed the announce).
>

Expect-CT technically still is a draft [1], but it is implemented since
Google Chrome 61 [2]. Personally I know that Cloudflare already is
setting that header on their responses.

HPKP is deprecated in Google Chrome and header processing will be
removed for Chrome 67 (which is due in May).

Best regards
Tim Düsterhus

[1] https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
[2] https://www.chromestatus.com/feature/5677171733430272
[3]
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
Willy Tarreau
Re: add header into http-request redirect
March 19, 2018 11:10PM
On Mon, Mar 19, 2018 at 10:23:47PM +0100, Tim Düsterhus wrote:
> Willy,
>
> Am 19.03.2018 um 22:15 schrieb Willy Tarreau:
> > Looks like it indeed. By then there was no "http-request" ruleset
> > either. Maybe we could move it to a place where it's generated
> > earlier, or maybe we could ensure that it's computed on the fly
> > when the associated sample fetch function is called for %ID (I
> > didn't remember it was available like this).
>
> Is there some specific place I should file this "bug" report or is my
> email sufficient for you to keep track of?

We hope soon to reuse the github issues for such things. For now it's
already in my todo list.

Willy
Sorry, only registered users may post in this forum.

Click here to login