From cc3e4ed81e923744bd3e64ffe1f190e4b32b3bcc Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Tue, 3 May 2016 09:06:08 +0200
Subject: [PATCH] Optimize redirects for aliases to also recognize the target
 protocol and introduce the HSTS header

---
 templates/haproxy_cfg | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index bb42b3c..0077d42 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -56,13 +56,13 @@ frontend http_in
   http-request deny if blockedip
 {% for host in groups['all'] %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix http://{{redirect.to}} if { hdr(host) -i -n {{redirect.from}} }
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
 {% endfor %}
 {% if proxy_redirect_aliase %}
 {% for drupal in hostvars[host].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% for alias in domain.aliases|default([]) %}
-  redirect prefix http://{{domain.domain}} if { hdr(host) -i -n {{alias}} }
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
 {% endfor %}
 {% endfor %}
 {% endfor %}
@@ -94,13 +94,13 @@ frontend https_in_{{ cert.ip }}
   http-request deny if blockedip
 {% for host in groups['all'] %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix http://{{redirect.to}} if { hdr(host) -i -n {{redirect.from}} }
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
 {% endfor %}
 {% if proxy_redirect_aliase %}
 {% for drupal in hostvars[host].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% for alias in domain.aliases|default([]) %}
-  redirect prefix https://{{domain.domain}} if { hdr(host) -i -n {{alias}} }
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
 {% endfor %}
 {% endfor %}
 {% endfor %}
@@ -116,7 +116,7 @@ frontend https_in_{{ cert.ip }}
 {% endif %}
 {% for host in groups['all'] %}
   acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
-  use_backend backend_{{host}} if ssl_domain_in_{{host}}
+  use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
   acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
   use_backend backend_redirect if redirect_{{host}}
 {% if hostvars[host].proxy_crm_domains is defined %}
@@ -133,6 +133,14 @@ backend backend_{{host}}
 {% else %}
   server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
 {% endif %}
+
+backend backend_{{host}}_https
+{% if host == inventory_hostname %}
+  http-response deny
+{% else %}
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
+{% endif %}
 {% endfor %}
 {% if varnish_host|default(false) %}
 
-- 
GitLab