From fdc63dbf757a94105ff1bf9d295fcc4047f34ea4 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Mon, 17 Feb 2014 23:10:50 +0100 Subject: haproxy-devel, option for "HTTP Strict Transport Security" HTST --- config/haproxy-devel/haproxy.inc | 4 ++++ config/haproxy-devel/haproxy_pool_edit.php | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 7f65e814..4713a2d1 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -560,6 +560,10 @@ function write_backend($fd, $name, $pool, $frontend) { if ($optioncheck) fwrite ($fd, "\toption\t\t\t{$optioncheck}\n"); + if ($pool["strict_transport_security"] && is_numeric($pool["strict_transport_security"])){ + fwrite ($fd, "\trspadd Strict-Transport-Security:\ max-age={$pool["strict_transport_security"]};\n"); + } + if ($pool['advanced_backend']) { $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); foreach($adv_be as $adv_line) { diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 3bc3ff9d..27519429 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -189,6 +189,9 @@ if ($_POST) { if ($server_port && !is_numeric($server_port)) $input_errors[] = "The field 'Port' value is not a number."; } + + if ($_POST['strict_transport_security'] !== "" && !is_numeric($_POST['strict_transport_security'])) + $input_errors[] = "The field 'Strict-Transport-Security' is not empty or a number."; if (!$input_errors) { $pool = array(); @@ -789,6 +792,21 @@ set by the 'retries' parameter.   + + Advanced + + + Strict-Transport-Security + + When configured enables "HTTP Strict Transport Security" leave empty to disable.
+ WARNING! the domain will only work over https with a valid certificate!
+ size="20" /> Seconds
+ If configured clients that requested the page with this setting active will not be able to visit this domain over a unencrypted http connection. + So make sure you understand the consequence of this setting or start with a really low value.
+ EXAMPLE: 60 for testing if you are absolutely sure you want this 31536000 (12 months) would be good for production. + + +     -- cgit v1.2.3