Haproxy

Inserting SSL/TLS Certificate Information into HTTP Headers

You can insert quite a number of SSL/TLS related client certificate information into request headers (sent to the real server) like so: frontend name_here bind ... reqadd X-SSL:\ %[ssl_fc] reqadd X-SSL-Client-Verify:\ %[ssl_c_verify] reqadd X-SSL-Client-SHA1:\ %{+Q}[ssl_c_sha1] reqadd X-SSL-Client-DN:\ %{+Q}[ssl_c_s_dn] reqadd X-SSL-Client-CN:\ %{+Q}[ssl_c_s_dn(cn)] reqadd X-SSL-Issuer:\ %{+Q}[ssl_c_i_dn] reqadd X-SSL-Client-Not-Before:\ %{+Q}[ssl_c_notbefore] reqadd X-SSL-Client-Not-After:\ %{+Q}[ssl_c_notafter] default_backend ... Note: The {+Q} ensures the certificate data is inserted as an ASCII string rather than it’s original binary form (which HTTP does not support).

HAProxy Rewrite Insecure Redirects

This is often a problem where HAProxy is configured for SSL/TLS but the origin web servers are not. When the server sends a redirect, the link in the Location header uses the http:// scheme and not the https:// scheme. This breaks things when your proxy is not also ‘handling’ HTTP and redirecting to HTTPS (which is far from efficient anyway as that’s two redirects). You can use something like this in a frontend or backend:

HAProxy Insert Security Response Headers

It’s up to you to decide if these are worthwhile. Adding Headers Unconditionally These will add the headers regardless of whether they are already present or not. This can result in duplicate headers in a single response. I’ve not found this is a problem but it’s certainly sub-optimal. Valid in the listen, frontend or, probably most appropriately, backend sections. backend some_name http-response add-header X-Frame-Options:\ SAMEORIGIN # Or DENY http-response add-header X-XSS-Protection:\ 1;\ mode=block http-response add-header X-Content-Type-Options:\ nosniff http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload http-response add-header Referrer-Policy no-referrer Adding Headers Conditionally To avoid duplicate headers, use some ACLs to check for their existence.