HAProxy 1.5 and HSTS

nikolaii

Hello, I have a runing HAProxy setup with SSL enabled.

I did some test with the https://www.ssllabs.com/ssltest/ checker. In the result it states that HSTS is not enabled [Strict Transport Security (HSTS) : No].

But I did enable it in the haproxy backend configuration page:

backend pool-PRX_http_ipvANY
        mode                    http
        rspadd Strict-Transport-Security:\ max-age=31536000;
        balance                 source
        timeout connect         5000
        timeout server          50000
        retries                 3

So what's missing?

Thank you.

nikolaii

Mh, I changed two settings in the backend configuration:

• From port 80 to 443
• SSL checkbox ticked

Ans now the SSL test website says:

Strict Transport Security (HSTS) 	Yes   max-age=31536000;

Of course I'm satisfied with this, but I don't understand why it works that way.

If someone could explain the process to me …

Thanks.

PiBa

For hsts you need to have ssl, so im not understanding what change you made or tested before.? If you where only listening on :80 there was nothing ssl related..?? And when using ssl you need to offload it to be able to change the headers.

nikolaii

Sorry it wasn't clear enough:

the HAProxy frontend is listening on port 443. But the the remote connection to the backends was on port 80.

And only after I changed the connection to the backend to port 443, then HSTS was detected.

PiBa

hmm ok.. that doesnt make sense.. adding the hsts header should work no mather what the backend is used on..

nikolaii

Yes I totally agree with you.

I'll try to reproduce the issue again and get back to you.

Nicolas