Welcome! Log In Create A New Profile

Advanced

Persistence cookie "secure" on frontend

Posted by Marco Corte 
Marco Corte
Persistence cookie "secure" on frontend
July 26, 2017 05:30PM
Hi all.

A frontend listen both for HTTP and for HTTPS.
It should set the "Secure" attribute to the cookies over the encypted
channel and not on the others.

Here are the relevant lines of the configuration

frontend XXX-FE
bind 10.64.44.160:80 name HTTP
bind 10.64.44.160:443 name HTTPS ssl crt /etc/ssl/private/XXX.pem
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-response set-header Strict-Transport-Security max-age=16000000;\
includeSubDomains if { ssl_fc }
http-response replace-header Set-Cookie (.*) \1;\ Secure if { ssl_fc }
use_backend XXX if { path_beg -i /AAA }

backend XXX
mode http
cookie rs insert indirect nocache httponly maxidle 1h
server serverA 10.64.44.155:80 check cookie A
server serverB 10.64.44.156:80 check cookie B

Testing with curl https://someserver/something.aspx the response has the
following headers

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 12450
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET=1hj2c; path=/; HttpOnly; Secure <- from server
X-Powered-By: ASP.NET
Date: Wed, 26 Jul 2017 14:40:11 GMT
Strict-Transport-Security: max-age=16000000; includeSubDomains
Set-Cookie: rs=A|WXipz; path=/; HttpOnly <- from haproxy


It seems that the "Set-Cookie" coming from the real server correctly has
the "Secure" attribute set by the frontend, while the load-balancing one
does not.
Is this the expected behaviour?

Thank you

..marcoc
Marco Corte
Re: Persistence cookie "secure" on frontend
August 09, 2017 09:20AM
Hello, list!

I was not clear in the previous post. I am sorry.

A frontend listen both for HTTP and for HTTPS.
It should set the "Secure" attribute to the cookies over the encrypted
channel and not on the others.



frontend XXX-FE
bind 10.64.44.160:80
bind 10.64.44.160:443 ssl crt /etc/ssl/private/XXX.pem
http-response replace-header Set-Cookie (.*) \1;\ Secure if { ssl_fc }
use_backend XXX if { path_beg -i /AAA }

backend XXX
cookie rs insert indirect nocache httponly maxidle 1h
server serverA 10.64.44.155:80 check cookie A
server serverB 10.64.44.156:80 check cookie B



Testing with curl https://someserver/something.aspx the response has
these two "Set-Coookie"

Set-Cookie: ASP.NET=1hj2c; path=/; HttpOnly; Secure
Set-Cookie: rs=A|WXipz; path=/; HttpOnly

The "Set-Cookie: ASP.NET=..." coming from the real server correctly has
the "Secure" attribute set by the frontend.
The "Set-Cookie: rs=A..." inserted by haproxy is not set as "Secure".

Is there a way to set "Secure" also on the Set-Cookie set by haproxy
with the same "if { ssl_fc }" condition?

Thank you

..marcoc
Sorry, only registered users may post in this forum.

Click here to login