Always set HTTP response header?

HAProxy 1.7.10 (pfSense) here.
I’ve got a TLS/SSL enabled frontend that’s configured to unconditionally send the Strict-Transport-Security HTTP response header, e.g.

http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains"

This works, but only for successful responses (from the HAProxy point of view).
If there’s a HAProxy generated error response such as HTTP 503, the header is missing and I’d like to have it there as well.

For example Apache has the always condition its the Header directive designed for such purpose:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Is it somehow possible to achieve this with HAProxy?

Unfortunately this is not currently possible the easy way.

A few possible workarounds are:

  • use custom error pages and insert the header manually there (the custom error pages must contain the entire HTTP response, including HTTP headers) - however this still does not cover haproxy redirects, if you are using that
  • Iterate through a dedicated frontend/backend section for the purpose of adding the header, use the second layer proxying for load-balancing, errors, etc, so that when an error is generated in the second layer, the first layer will be responsible for adding the header