net/haproxy: support HSTS, refs #375

2026-06-03 22:08:11 -04:00 · 2017-11-18 01:09:38 +01:00 · 2017-11-18 01:09:38 +01:00 · 80613eea0e
commit 80613eea0e
parent f7afbc30b7
3 changed files with 27 additions and 0 deletions
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@ -104,6 +104,18 @@
        <type>text</type>
        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
    </field>
+    <field>
+        <id>frontend.ssl_hstsEnabled</id>
+        <label>Enable HSTS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HTTP Strict Transport Security.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_hstsMaxAge</id>
+        <label>HSTS max-age</label>
+        <type>text</type>
+        <help><![CDATA[Future requests to the domain should use only HTTPS for the specified time (in seconds): 15768000 = 6 months]]></help>
+    </field>
    <field>
        <label>Tuning Options</label>
        <type>header</type>
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@ -348,6 +348,17 @@
                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                    <Required>N</Required>
                </ssl_cipherList>
+                <ssl_hstsEnabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </ssl_hstsEnabled>
+                <ssl_hstsMaxAge type="IntegerField">
+                    <default>15768000</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>1000000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                    <Required>Y</Required>
+                </ssl_hstsMaxAge>
                <tuning_maxConnections type="IntegerField">
                    <MinimumValue>1</MinimumValue>
                    <MaximumValue>500000</MaximumValue>
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@ -607,6 +607,10 @@ frontend {{frontend.name}}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
 {%         endif %}
+{#         # HSTS #}
+{%         if frontend.ssl_hstsEnabled|default("") == '1' %}
+    http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}}
+{%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}