HAProxy & HTTP Strict Transport Security (HSTS)

HAProxy provides an easy and straightforward way to add HTTPS to your website. As a load balancer positioned in front of your web servers, it can handle all of the encryption and decryption duties, offloading those tasks from your upstream servers. That’s good because in today’s age of privacy awareness, the consensus is that every website must implement HTTPS, regardless of whether sensitive or private information is being exchanged. That blankets everyone’s actions, even during their most mundane online activities.

The blog post HAProxy SSL Termination shows how to enable HTTPS in HAProxy. It also explains how to redirect users from HTTP to HTTPS using the http-request redirect scheme directive. Here is an example that sets up that redirect:

frontend www.mywebsite.com
bind :80
bind :443 ssl crt /etc/ssl/certs/mywebsite.com.pem
http-request redirect scheme https code 301 unless { ssl_fc }
default_backend servers

Using this feature, all users are automatically routed to the secure version of your site. Chalk one up for the good guys!

Yet, it doesn’t provide total protection: An attacker could still intercept the traffic just before the redirect happens and insert themselves as a man-in-the-middle. This is possible because the user’s request must travel over the network in the clear at least once before it reaches HAProxy and gets redirected. With this tiny window of opportunity—and with the right tools in hand—an attacker could observe messages in the clear and then pass them to your website over the encrypted connection so that neither the visitor nor you, the website operator, knows anything is amiss.

Security advocates know of this risk. For that reason, they’ve devised a way for browsers to send a user to the secure version of a site from the get-go without an HTTP redirect. This mechanism is called HTTP Strict Transport Security (HSTS) and is described in the specification RFC 6797. The spec defines a new response header called Strict-Transport-Security, which tells browsers that the website should be accessed only over HTTPS; It sets a time period for how long the browser should remember this rule.

Configure the Strict-Transport-Security header

Enabling HSTS in HAProxy is very simple. After you’ve configured the redirect to HTTPS in your frontend section, you’re ready to set up HSTS. To insert the Strict-Transport-Security header into every response, use the http-response set-header directive, as shown here:

frontend www.mywebsite.com
bind :80
bind :443 ssl crt /etc/ssl/certs/mywebsite.com.pem
http-request redirect scheme https code 301 unless { ssl_fc }
# max-age is mandatory
# 16000000 seconds is a bit more than 6 months
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
default_backend servers

Now, HAProxy returns the Strict-Transport-Security header, which instructs the browser to route messages to this website using HTTPS from the start. This rule will last for the next six months after the user has visited your website at least once. From then on, attackers will no longer get a chance to intercept your users’ messages. As a side effect, it also avoids one round trip between the user and server, improving response times.

The header’s max-age field is mandatory. It sets how long the browser should remember the rule, in seconds. The includeSubDomains and preload fields are optional. The former tells the browser that it should include all of your subdomains in the rule. The latter is necessary for adding your site to Google’s HSTS preload service, which is a registry of websites that Google Chrome will connect to using HTTPS automatically.

Conclusion

HTTP Strict Transport Security is a mechanism that protects your website’s visitors from attackers trying to intercept their messages. It allows a browser to remember whether to use HTTPS by default, avoiding the dangers of an HTTP redirect. Use it if you’d like to make the Web safer for everyone.

Want to stay up to date on similar topics? Subscribe to this blog! You can also follow us on Twitter and join the conversation on Slack.

Interested in advanced security and administrative features? HAProxy Enterprise is the world’s fastest and most widely used software load balancer. It powers modern application delivery at any scale and in any environment, providing the utmost performance, observability, and security. Organizations harness its cutting edge features and enterprise suite of add-ons, backed by authoritative expert support and professional services. Ready to learn more? Sign up for a free trial.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.