Welcome! Log In Create A New Profile

Advanced

HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM

Posted by Devendra Joshi 
Devendra Joshi
HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM
March 16, 2017 08:00AM
Hi All,

I want to set X-Frame-Options to SAMEORIGIN but should be Ifram or access
by one of our subdomain website.
means i want to allow www.abc.com from oms.abc.com



Any one one know how to set X-Frame-Options with SAMEORIGIN & ALLOW-FROM in
HaProxy

I added one setting in haproxy config file but showing error.

acl main_site req.hdr(Host) http://www.abc.com
http-response add-header X-Frame-Options:\ ALLOW-FROM\ http://oms.abc.com if
main_site
http-response add-header X-Frame-Options:\ SAMEORIGIN if ! main_site



Error is :
[ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:42]:
'http-response add-header' expects exactly 2 arguments.
[ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:43]:
'http-response add-header' expects exactly 2 arguments.

Please suggest what syntax should i use for this.
I am using HA-Proxy version 1.5.14



Devendra Joshi
--------------------------------------------------------------
--------------------------------------------
Jarno Huuskonen
Re: HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM
March 16, 2017 09:00AM
Hi,

On Thu, Mar 16, Devendra Joshi wrote:
> Any one one know how to set X-Frame-Options with SAMEORIGIN & ALLOW-FROM in
> HaProxy
>
> I added one setting in haproxy config file but showing error.
>
> acl main_site req.hdr(Host) http://www.abc.com
> http-response add-header X-Frame-Options:\ ALLOW-FROM\ http://oms.abc.com if
> main_site
> http-response add-header X-Frame-Options:\ SAMEORIGIN if ! main_site

http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.abc.com if main_site
http-response add-header X-Frame-Options SAMEORIGIN if ! main_site
(https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-http-response)

(but AFAIK the request acl won't work on http-response rule).

-Jarno

>
> Error is :
> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:42]:
> 'http-response add-header' expects exactly 2 arguments.
> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:43]:
> 'http-response add-header' expects exactly 2 arguments.
>
> Please suggest what syntax should i use for this.
> I am using HA-Proxy version 1.5.14

--
Jarno Huuskonen
Devendra Joshi
Re: HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM
March 16, 2017 09:30AM
Hi Jarno

Thanks for your reply.

I have added following lines in frontend

acl main_site req.hdr(Host) -i http://www.abc.com http://oms.abc.com/
http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.naaptol.com
if main_site
http-response add-header X-Frame-Options SAMEORIGIN if ! main_site



I got some error :

[WARNING] 074/135257 (35900) : parsing [/opt/haproxy-ssl/haproxy.cfg:42] :
acl 'main_site' will never match because it only involves keywords that are
incompatible with 'backend http-response header rule'
[WARNING] 074/135257 (35900) : parsing [/opt/haproxy-ssl/haproxy.cfg:43] :
acl 'main_site' will never match because it only involves keywords that are
incompatible with 'backend http-response header rule'








Devendra Joshi
8080106035
--------------------------------------------------------------
--------------------------------------------------------------


On 16 March 2017 at 13:21, Jarno Huuskonen <[email protected]> wrote:

> Hi,
>
> On Thu, Mar 16, Devendra Joshi wrote:
> > Any one one know how to set X-Frame-Options with SAMEORIGIN & ALLOW-FROM
> in
> > HaProxy
> >
> > I added one setting in haproxy config file but showing error.
> >
> > acl main_site req.hdr(Host) http://www.abc.com
> > http-response add-header X-Frame-Options:\ ALLOW-FROM\
> http://oms.abc.com if
> > main_site
> > http-response add-header X-Frame-Options:\ SAMEORIGIN if ! main_site
>
> http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.abc.com
> if main_site
> http-response add-header X-Frame-Options SAMEORIGIN if ! main_site
> (https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-http-
> response)
>
> (but AFAIK the request acl won't work on http-response rule).
>
> -Jarno
>
> >
> > Error is :
> > [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:42]:
> > 'http-response add-header' expects exactly 2 arguments.
> > [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:43]:
> > 'http-response add-header' expects exactly 2 arguments.
> >
> > Please suggest what syntax should i use for this.
> > I am using HA-Proxy version 1.5.14
>
> --
> Jarno Huuskonen
>
Jarno Huuskonen
Re: HaProxy X-Frame-Options with SAMEORIGIN & ALLOW-FROM
March 16, 2017 10:20AM
Hi,

On Thu, Mar 16, Devendra Joshi wrote:
> acl main_site req.hdr(Host) -i http://www.abc.com http://oms.abc.com/

Host headers don't usually have http:// (or https://) (or did email
mailer add the http://).
Usually I use hdr_dom(Host) -i www.abc.com

> http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.naaptol.com
> if main_site
> http-response add-header X-Frame-Options SAMEORIGIN if ! main_site
>
> I got some error :
>
> [WARNING] 074/135257 (35900) : parsing [/opt/haproxy-ssl/haproxy.cfg:42] :
> acl 'main_site' will never match because it only involves keywords that are
> incompatible with 'backend http-response header rule'
> [WARNING] 074/135257 (35900) : parsing [/opt/haproxy-ssl/haproxy.cfg:43] :
> acl 'main_site' will never match because it only involves keywords that are
> incompatible with 'backend http-response header rule'

> > (but AFAIK the request acl won't work on http-response rule).

With haproxy 1.5.x you might need to use different backends. Something
like:
frontend test
acl main_site hdr_dom(Host) -i www.abc.com
use_backend BE_mainsite if main_site
default_backend BE_nomain

backend BE_mainsite
...
http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.naaptol.com
server s1 ip.add.re.ss:port ...
server s2 ip2.add.re.ss:port ...
...

backend BE_nomain
...
http-response add-header X-Frame-Options SAMEORIGIN
server s1 ip.add.re.ss:port track BE_mainsite/s1 ...
server s2 ip2.add.re.ss:port track BE_mainsite/s2 ...

With haproxy 1.6/1.7 you could use captures or variables:
http://blog.haproxy.com/2015/10/14/whats-new-in-haproxy-1-6/

So something like:
frontend test
declare capture request len 64
http-request capture req.hdr(Host) id 0
...

backend bename
acl main_site capture.req.hdr(0) -i www.abc.com
http-response add-header X-Frame-Options ALLOW-FROM http://oms.naaptol.com if main_site
http-response add-header X-Frame-Options SAMEORIGIN if ! main_site

(These examples are from top of my head, so they probably won't work as
is ...)

-Jarno

--
Jarno Huuskonen
Hi,


On 16.03.2017 08:51, Jarno Huuskonen wrote:
> Hi,
>
> On Thu, Mar 16, Devendra Joshi wrote:
>> Any one one know how to set X-Frame-Options with SAMEORIGIN & ALLOW-FROM in
>> HaProxy
>>
>> I added one setting in haproxy config file but showing error.
>>
>> acl main_site req.hdr(Host) http://www.abc.com
>> http-response add-header X-Frame-Options:\ ALLOW-FROM\ http://oms.abc.com if
>> main_site
>> http-response add-header X-Frame-Options:\ SAMEORIGIN if ! main_site
>
> http-response add-header X-Frame-Options ALLOW-FROM\ http://oms.abc.com if main_site
> http-response add-header X-Frame-Options SAMEORIGIN if ! main_site
> (https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-http-response)
>
> (but AFAIK the request acl won't work on http-response rule).

Just for your info. In haproxy 1.6 and higher you can do something like this
--
frontend fe_default

...

capture request header Host len 128

http-request set-var(txn.Host) req.hdr(Host)
acl main_site var(txn.Host) -m dom -i www.abc.com

http-response set-header X-Frame-Options 'http://oms.abc.com' if {
capture.req.hdr(0) -m found } main_site
http-response set-header X-Frame-Options 'SAMEORIGIN' if {
capture.req.hdr(0) -m found } main_site
---

cheers,
thomas


>
> -Jarno
>
>>
>> Error is :
>> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:42]:
>> 'http-response add-header' expects exactly 2 arguments.
>> [ALERT] 074/100716 (29069) : parsing [/opt/haproxy-ssl/haproxy.cfg:43]:
>> 'http-response add-header' expects exactly 2 arguments.
>>
>> Please suggest what syntax should i use for this.
>> I am using HA-Proxy version 1.5.14
>
Sorry, only registered users may post in this forum.

Click here to login