search

junkurihara / rust-rpxy

[WIP] A simple and ultrafast http reverse proxy serving multiple domain names and terminating TLS for http/1.1, 2 and 3, written in Rust
MIT License
247 stars 19 forks source link

TODO: HSTS support #139

Open junkurihara opened 7 months ago

junkurihara commented 7 months ago

RFC: https://datatracker.ietf.org/doc/html/rfc6797

Any idea of a configuration directive specifying HSTS for an app in TOML file?

paulocoghi commented 7 months ago

Looking into the security headers on Traefik documentation and examples (here), as well as this user suggestion, this could be one idea:

[http.exampleContext]

  [http.exampleContext.security.headers]
    forceSTSHeader = true
    stsIncludeSubdomains = true
    stsPreload = true
    stsSeconds=15552000
paulocoghi commented 7 months ago

But I don't like the idea of forceSTSHeader but, instead, something simpler like STSHeader

junkurihara commented 7 months ago

Hi Paulo, thanks!

I think it makes sense. max-age (seconds), include_subdomains and preload need to be explicitly specified. But rpxy should enable HSTS only when the HSTS directive (e.g., [experiments.hsts]?) exists.

junkurihara commented 7 months ago

Also IMHO, HSTS does not need to be controlled separately for each backend applications. I mean it should be a global option for rpxy to keep the config file as simple as possible.

Or should we need such a flexibility for the settings of backend applications?

Gamerboy59 commented 3 weeks ago

Or should we need such a flexibility for the settings of backend applications?

Except for legacy compatibility, I see no benefit in per upstream configuration. HSTS is on its way to be the standard and a global configuration ensures this uniform security policies across all backend applications.