Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy 1.5 and HSTS

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikolaii
      last edited by

      Hello, I have a runing HAProxy setup with SSL enabled.

      I did some test with the https://www.ssllabs.com/ssltest/ checker. In the result it states that HSTS is not enabled [Strict Transport Security (HSTS) : No].

      But I did enable it in the haproxy backend configuration page:

      
      backend pool-PRX_http_ipvANY
              mode                    http
              rspadd Strict-Transport-Security:\ max-age=31536000;
              balance                 source
              timeout connect         5000
              timeout server          50000
              retries                 3
      
      

      So what's missing?

      Thank you.

      Nicolas

      1 Reply Last reply Reply Quote 0
      • N
        nikolaii
        last edited by

        Mh, I changed two settings in the backend configuration:

        • From port 80 to 443
        • SSL checkbox ticked

        Ans now the SSL test website says:

        Strict Transport Security (HSTS) 	Yes   max-age=31536000;
        

        Of course I'm satisfied with this, but I don't understand why it works that way.

        If someone could explain the process to me …

        Thanks.

        Nicolas

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          For hsts you need to have ssl, so im not understanding what change you made or tested before.? If you where only listening on :80 there was nothing ssl related..?? And when using ssl you need to offload it to be able to change the headers.

          1 Reply Last reply Reply Quote 0
          • N
            nikolaii
            last edited by

            Sorry it wasn't clear enough:

            the HAProxy frontend is listening on port 443. But the the remote connection to the backends was on port 80.

            And only after I changed the connection to the backend to port 443, then HSTS was detected.

            Nicolas

            1 Reply Last reply Reply Quote 0
            • P
              PiBa
              last edited by

              hmm ok.. that doesnt make sense.. adding the hsts header should work no mather what the backend is used on..

              1 Reply Last reply Reply Quote 0
              • N
                nikolaii
                last edited by

                Yes I totally agree with you.

                I'll try to reproduce the issue again and get back to you.

                Nicolas

                Nicolas

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.