Skip to content

Instantly share code, notes, and snippets.

@rnewson
Last active November 18, 2021 22:12
Show Gist options
  • Save rnewson/8384304 to your computer and use it in GitHub Desktop.
Save rnewson/8384304 to your computer and use it in GitHub Desktop.
haproxy.cfg stanzas to enable Perfect Forward Secrecy and HTTP Strict Transport Security. Requires OpenSSL 1.0.1g or so.
# Bind SSL port with PFS-enabling cipher suite
bind :443 ssl crt path_to_certificate no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4
# Distinguish between secure and insecure requests
acl secure dst_port eq 443
# Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
# Add the HSTS header with a 1 year max-age
rspadd Strict-Transport-Security:\ max-age=31536000 if secure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment