HAProxy 在 302 重定向之前添加一些 headers
HAProxy add some headers before 302 redirect
我正在尝试为定向到特定端口的响应添加一些安全措施 headers。
我有以下配置的前端:
frontend desenv_ext_1
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cert.pem
mode http
option tcplog
default_backend desenv_1
timeout client 5m
#ACL to new attempt
acl header_c dst_port 80
#Attempt with no ACL
http-response set-header X-Frame-Options SAMEORIGIN
#Attempt with ssl ACL
http-response set-header Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload; if {ssl_fc}
http-response add-header Referrer-Policy no-referrer if !{ ssl_fc }
#Attempt with header_c ACL
http-response set-header X-Content-Type-Options nosniff if header_c
http-response add-header X-XSS-Protection 1;\ mode=block if header_c
#Attempt with rspadd
rspadd X-Backen-Serve\ laranja if header_c
rspadd X-Backend-Serve\ caju if HTTP
redirect scheme https if !{ ssl_fc }
你看,在配置中你有一些不同方式的测试,但这些方式都不起作用。
重定向工作正常,但 headers 未添加到端口 80 响应中:
[root@managerr temp]# curl -I http://localhost
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://localhost/
Connection: close
我希望到达端口 80 的请求添加以下 headers,即使它们重定向到端口 443:
Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload;
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection 1;\ mode=block
我需要的输出是这样的:
HTTP/1.1 302 Found
Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload;
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection 1;\ mode=block
Cache-Control: no-cache
Content-length: 0
Location: https://localhost/
Connection: close
后端:
backend desenv_1
mode http
option tcplog
server manga x.x.x.x:80 check cookie manga
timeout connect 10s
timeout server 5m
我的HA-Proxy版本1.5.18
redirect 在 http-response 之前执行,因此这些 http-response 永远不会执行。
使用这个:
http-request redirect location "https://%[hdr(host)]%[url]\r\nX-Frame-Options: SAMEORIGIN\r\nReferrer-Policy: no-referrer"
我正在尝试为定向到特定端口的响应添加一些安全措施 headers。 我有以下配置的前端:
frontend desenv_ext_1
bind *:80
bind *:443 ssl crt /etc/ssl/certs/cert.pem
mode http
option tcplog
default_backend desenv_1
timeout client 5m
#ACL to new attempt
acl header_c dst_port 80
#Attempt with no ACL
http-response set-header X-Frame-Options SAMEORIGIN
#Attempt with ssl ACL
http-response set-header Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload; if {ssl_fc}
http-response add-header Referrer-Policy no-referrer if !{ ssl_fc }
#Attempt with header_c ACL
http-response set-header X-Content-Type-Options nosniff if header_c
http-response add-header X-XSS-Protection 1;\ mode=block if header_c
#Attempt with rspadd
rspadd X-Backen-Serve\ laranja if header_c
rspadd X-Backend-Serve\ caju if HTTP
redirect scheme https if !{ ssl_fc }
你看,在配置中你有一些不同方式的测试,但这些方式都不起作用。
重定向工作正常,但 headers 未添加到端口 80 响应中:
[root@managerr temp]# curl -I http://localhost
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://localhost/
Connection: close
我希望到达端口 80 的请求添加以下 headers,即使它们重定向到端口 443:
Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload;
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection 1;\ mode=block
我需要的输出是这样的:
HTTP/1.1 302 Found
Strict-Transport-Security max-age=31535400;\ includeSubDomains;\ preload;
X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
X-XSS-Protection 1;\ mode=block
Cache-Control: no-cache
Content-length: 0
Location: https://localhost/
Connection: close
后端:
backend desenv_1
mode http
option tcplog
server manga x.x.x.x:80 check cookie manga
timeout connect 10s
timeout server 5m
我的HA-Proxy版本1.5.18
redirect 在 http-response 之前执行,因此这些 http-response 永远不会执行。
使用这个:
http-request redirect location "https://%[hdr(host)]%[url]\r\nX-Frame-Options: SAMEORIGIN\r\nReferrer-Policy: no-referrer"