Inserting SSL/TLS Certificate Information into HTTP Headers

January 28, 2016

You can insert quite a number of SSL/TLS related client certificate information into request headers (sent to the real server) like so: frontend name_here bind ... reqadd X-SSL:\ %[ssl_fc] reqadd X-SSL-Client-Verify:\ %[ssl_c_verify] reqadd X-SSL-Client-SHA1:\ %{+Q}[ssl_c_sha1] reqadd X-SSL-Client-DN:\ %{+Q}[ssl_c_s_dn] reqadd X-SSL-Client-CN:\ %{+Q}[ssl_c_s_dn(cn)] reqadd X-SSL-Issuer:\ %{+Q}[ssl_c_i_dn] reqadd X-SSL-Client-Not-Before:\ %{+Q}[ssl_c_notbefore] reqadd X-SSL-Client-Not-After:\ %{+Q}[ssl_c_notafter] default_backend ... Note: The {+Q} ensures the certificate data is inserted as an ASCII string rather than it’s original binary form (which HTTP does not support). ... Read more

Implementing Apache TLS

January 6, 2016

This configuration (including the Header directive) gets an A+ rating from Qualys SSL Labs; <VirtualHost *:443> ... Header set Strict-Transport-Security "max-age=31536000; includeSubdomains" SSLEngine on SSLCertificateFile /etc/letsencrypt/live/ SSLCertificateKeyFile /etc/letsencrypt/live/ SSLCACertificateFile /etc/letsencrypt/live/ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4@STRENGTH SSLHonorCipherOrder on ... </VirtualHost>

Implementing Apache Security Headers

January 2, 2016

Simply add the following headers to either a VirtualHost directive (as demonstrated below) or in the main configuration: <VirtualHost *:443> ... Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Header set Referrer-Policy no-referrer ServerName ... </VirtualHost> Add these to the main configuration will also minimise information leakage: ServerTokens Prod ServerSignature Off Use the Security Headers site to test the results. ... Read more

HAProxy Rewrite Insecure Redirects

December 8, 2015

This is often a problem where HAProxy is configured for SSL/TLS but the origin web servers are not. When the server sends a redirect, the link in the Location header uses the http:// scheme and not the https:// scheme. This breaks things when your proxy is not also ‘handling’ HTTP and redirecting to HTTPS (which is far from efficient anyway as that’s two redirects). You can use something like this in a frontend or backend: ... Read more

HAProxy Insert Security Response Headers

December 5, 2015

It’s up to you to decide if these are worthwhile. Adding Headers Unconditionally These will add the headers regardless of whether they are already present or not. This can result in duplicate headers in a single response. I’ve not found this is a problem but it’s certainly sub-optimal. Valid in the listen, frontend or, probably most appropriately, backend sections. backend some_name http-response add-header X-Frame-Options:\ SAMEORIGIN # Or DENY http-response add-header X-XSS-Protection:\ 1;\ mode=block http-response add-header X-Content-Type-Options:\ nosniff http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload http-response add-header Referrer-Policy no-referrer Adding Headers Conditionally To avoid duplicate headers, use some ACLs to check for their existence. ... Read more

© 2015 - 2016 Some Guy. All rights reserved.