basic security-headers

ansibleguy · May 2, 2024 · b530c69 · b530c69
1 parent c0447f5
commit b530c69
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -59,6 +59,7 @@ ansible-galaxy install -r requirements.yml
     * Frontend
       * Redirect non SSL traffic to SSL if in HTTP mode
       * Logging User-Agent
+      * Setting basic security-headers
     * Backend
       * Basic Check (*httpchk if in http mode*)
 

diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -66,6 +66,7 @@ defaults_frontend:
   # ssl with custom cert: ':443 ssl crt /etc/ssl/haproxy/site.pem'
   acme: false
   ssl_redirect: true
+  security_headers: true
   log:
     user_agent: true
 
@@ -87,8 +88,19 @@ defaults_frontend:
   #     filter_ip: ['10.0.0.0/8']
   #     filter_not_ip: []
 
+  headers:  # you might want to set 'security_headers' to false if you want to control those headers; see below for defaults
+    request: {}
+    response: {}
+
   default_backend:
 
+defaults_security_headers:
+  Strict-Transport-Security: 'max-age=16000000; includeSubDomains; preload;'
+  X-Frame-Options: 'DENY'  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+  X-Content-Type-Options: 'nosniff'  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+  X-Permitted-Cross-Domain-Policies: 'none'
+  X-XSS-Protection: '1; mode=block'
+
 defaults_frontend_route:
   domains: []
   filter_country: []

diff --git a/templates/etc/haproxy/conf.d/frontend.cfg.j2 b/templates/etc/haproxy/conf.d/frontend.cfg.j2
@@ -14,15 +14,21 @@ frontend {{ name }}
 {%   endfor %}
 
 {%   if cnf.mode == 'http' %}
-{%     if cnf.ssl_redirect | bool %}
-    http-request redirect scheme https unless { ssl_fc }
+{%     if cnf.ssl_redirect | bool and 'ssl' in cnf.bind.join('-') %}
+    http-request redirect scheme https code 301 unless { ssl_fc }
 {%     endif %}
 {%   endif %}
 
 {%   if cnf.geoip.enable | bool %}
 {% include "inc/geoip.j2" %}
 {%   endif %}
 
+{%   if cnf.security_headers | bool %}
+{%     for header, value in defaults_security_headers.items() %}
+    http-response set-header {{ header }} "{{ value }}"
+{%     endfor %}
+{%   endif %}
+
 {%   if cnf.log.user_agent | bool %}
     http-request capture req.fhdr(User-Agent) len 200
 {%   endif %}