haproxy.cfg stanzas to enable Perfect Forward Secrecy and HTTP Strict Transport Security. Requires OpenSSL 1.0.1g or so.

1/12/2014 - 1:00 PM

haproxy.cfg stanzas to enable Perfect Forward Secrecy and HTTP Strict Transport Security. Requires OpenSSL 1.0.1g or so.

# Bind SSL port with PFS-enabling cipher suite
bind :443 ssl crt path_to_certificate no-tls-tickets ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA:!MD5:!aNULL:!DH:!RC4

# Distinguish between secure and insecure requests
acl secure dst_port eq 443

# Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure

# Add the HSTS header with a 1 year max-age
rspadd Strict-Transport-Security:\ max-age=31536000 if secure

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

haproxy.cfg stanzas to enable Perfect Forward Secrecy and HTTP Strict Transport Security. Requires OpenSSL 1.0.1g or so.