Welcome! Log In Create A New Profile

Advanced

Set-Cookie Secure

Posted by rob.mlist 
rob.mlist
Set-Cookie Secure
September 18, 2017 02:40PM
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Marco Corte
Re: Set-Cookie Secure
September 18, 2017 05:30PM
Hello, list!

> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but _no secure attribute is added to the
> response_:

Is it possible that this is in some way related to the issue that I
noticed some weeks ago?
https://www.mail-archive.com/[email protected]/msg27036.html

I assume that only cookies coming from the real servers can be
manipulated, but I could be wrong.

..marcoc
mlist
Set-Cookie Secure
September 18, 2017 08:20PM
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
mlist
Set-Cookie Secure
September 21, 2017 03:30PM
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Igor Cicimov
Re: Set-Cookie Secure
September 22, 2017 12:50AM
On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote:

I set 2 cookies on behalf of Backend Servers: one with these configuration
lines at Frontend:



rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1
!back_cookie_present

rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4
!back_cookie_present

rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10
!back_cookie_present



one at Backend with these line (and Backend cookie directive on each
server):

cookie cookie_ha_srvid insert indirect preserve nocache



now I need to change every response to clients to add "secure" attribute
for all client encrypted connections.

I applied following rules, but *no secure attribute is added to the
response*:



acl https_sess ssl_fc

acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure

rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie





Roberto

Well if you are handling the requests in two different, lets call them
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
obviously set secure cookies for the second one only without any acl
gymnastics.
mlist
RE: Set-Cookie Secure
September 22, 2017 02:30AM
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <[email protected]>
Cc: HAProxy <[email protected]>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.
Igor Cicimov
Re: Set-Cookie Secure
September 22, 2017 02:40AM
Then you can unconditionally include Secure in your "rspadd Set-Cookie ..."
since the communication between the client and HAP is always over SSL. Or
am I missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]> wrote:

> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
> rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
> cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
> acl https_sess ssl_fc
>
> acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
> rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>
mlist
RE: Set-Cookie Secure
September 22, 2017 09:10AM
I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option.

From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <m[email protected]>
Cc: HAProxy <[email protected]>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.
mlist
RE: Set-Cookie Secure
October 05, 2017 06:00PM
Hi Igor, some news about this ?

From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' <[email protected]>
Cc: 'HAProxy' <[email protected]>
Subject: RE: Set-Cookie Secure

I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option.

From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.
Igor Cicimov
Re: Set-Cookie Secure
October 06, 2017 02:20AM
Hi,

On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]> wrote:

> Hi Igor, some news about this ?
>
>
>
> *From:* mlist
> *Sent:* venerdì 22 settembre 2017 08:58
> *To:* 'Igor Cicimov' <[email protected]>
> *Cc:* 'HAProxy' <h[email protected]>
> *Subject:* RE: Set-Cookie Secure
>
>
>
> I have acl to leave some sites http (not redirected to https), so adding
> secure flag on rspadd it is not an option.
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]
> <[email protected]>]
> *Sent:* venerdì 22 settembre 2017 02:35
> *To:* mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Then you can unconditionally include Secure in your "rspadd Set-Cookie
> ..." since the communication between the client and HAP is always over SSL.
> Or am I missing something?
>
>
>
> On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]> wrote:
>
> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
> rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
> cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
>
> ​​
> acl https_sess ssl_fc
>
> acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
> rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>
> ​Well no, not really. Above ^^^^^^^ I asked​ if you are (or can convert
to) running two frontends, one for http and one for https, and you replied
that you are not and that you are using single *fe_https:443-> be_http*.
Are you saying you have both http and https over same 443 port?





If not and you are really running single frontend listening on both 80 and
443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would say
that your problem is here:


*acl https_sess ssl_fc *

acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure

rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie


more specific using an acl in the response that is set based on the request
will not work. Try using *capture* or *set-var* instead so the value set in
request time is preserved for the logic applied in the response time.

Also sending the full config with sensitive data removed can be helpful.
mlist
RE: Set-Cookie Secure
October 07, 2017 12:40PM
I prefer to use only one frontend for all request, so I can control centrally many config
avoiding replication of rules not so simple to maintain but centralizing means to manage
not default cases, so: by default all http are converted to https if some conditions (acl)
are not meet (for applications we impose https, for web sites we leave choice, …).

We also use stick table as base for ddos control, ect, as now only basic rules and
use cookies mechanism for normal persistence and for special client side app persistence
needed to identify backend server in special situations.

In attach config file




From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 6 ottobre 2017 02:11
To: mlist <[email protected]>
Cc: HAProxy <[email protected]>
Subject: Re: Set-Cookie Secure

Hi,

On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, some news about this ?

From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' <[email protected]<mailto:[email protected]>>
Cc: 'HAProxy' <[email protected]<mailto:[email protected]>>
Subject: RE: Set-Cookie Secure

I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option.

From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:

rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:


​​
acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.

​Well no, not really. Above ^^^^^^^ I asked​ if you are (or can convert to) running two frontends, one for http and one for https, and you replied that you are not and that you are using single fe_https:443-> be_http. Are you saying you have both http and https over same 443 port?





If not and you are really running single frontend listening on both 80 and 443 for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your problem is here:


acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

more specific using an acl in the response that is set based on the request will not work. Try using capture or set-var instead so the value set in request time is preserved for the logic applied in the response time.

Also sending the full config with sensitive data removed can be helpful.
Attachments:
open | download - haproxy.cfg (18.9 KB)
Igor Cicimov
Re: Set-Cookie Secure
October 09, 2017 06:50AM
Maybe try something like:

http-request set-var(txn.req_ssl) ssl_fc

acl https_sess var(txn.req_ssl)
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

So the first line sets transactional variable valid for the request AND
response and then use it in the https_sess acl for the response.

On Sat, Oct 7, 2017 at 9:30 PM, mlist <[email protected]> wrote:

> I prefer to use only one frontend for all request, so I can control
> centrally many config
>
> avoiding replication of rules not so simple to maintain but centralizing
> means to manage
>
> not default cases, so: by default all http are converted to https if some
> conditions (acl)
>
> are not meet (for applications we impose https, for web sites we leave
> choice, …).
>
>
>
> We also use stick table as base for ddos control, ect, as now only basic
> rules and
>
> use cookies mechanism for normal persistence and for special client side
> app persistence
>
> needed to identify backend server in special situations.
>
>
>
> In attach config file
>
>
>
>
>
>
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]]
> *Sent:* venerdì 6 ottobre 2017 02:11
>
> *To:* mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Hi,
>
>
>
> On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]> wrote:
>
> Hi Igor, some news about this ?
>
>
>
> *From:* mlist
> *Sent:* venerdì 22 settembre 2017 08:58
> *To:* 'Igor Cicimov' <[email protected]>
> *Cc:* 'HAProxy' <[email protected]>
> *Subject:* RE: Set-Cookie Secure
>
>
>
> I have acl to leave some sites http (not redirected to https), so adding
> secure flag on rspadd it is not an option.
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]
> <[email protected]>]
> *Sent:* venerdì 22 settembre 2017 02:35
> *To:* mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Then you can unconditionally include Secure in your "rspadd Set-Cookie
> ..." since the communication between the client and HAP is always over SSL.
> Or am I missing something?
>
>
>
> On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]> wrote:
>
> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:[email protected]]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <[email protected]>
> *Cc:* HAProxy <[email protected]>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
> rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4
> !back_cookie_present
>
> rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
> cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
>
>
> ​​
>
> acl https_sess ssl_fc
>
> acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
> rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>
> ​Well no, not really. Above ^^^^^^^ I asked​ if you are (or can convert
> to) running two frontends, one for http and one for https, and you replied
> that you are not and that you are using single *fe_https:443-> be_http*.
> Are you saying you have both http and https over same 443 port?
>
> ​
>
>
>
> ​
>
>
>
>
>
> If not and you are really running single frontend listening on both 80 and
> 443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would
> say that your problem is here:
>
>
>
> ​
>
> *acl https_sess ssl_fc *
>
> acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
> rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie
>
>
>
> more specific using an acl in the response that is set based on the
> request will not work. Try using *capture* or *set-var* instead so the
> value set in request time is preserved for the logic applied in the
> response time.
>
>
>
> Also sending the full config with sensitive data removed can be helpful.
>
Roberto Cazzato
RE: Set-Cookie Secure
June 07, 2018 02:10PM
Hi,

your code, as the original:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

works only for cookies inserted by backends server:
(Backend set cookie) -> ( haproxy intercept Set-Cookie and add “secure”) -> (client receive Set-Cookie WITH secure)

It doesn’t work generally for every cookie as those inserted by haproxy itself:
(haproxy add a cookie with “cookie insert” or “rspadd Set-Cookie”) -> (client receive Set-Cookie WITHOUT secure)

There is a stage haproxy can add secure for all cases ?

Thank you

PS: there is somewhere a logic schema of haproxy (as those for netfilter like these https://gist.github.com/nerdalert/a1687ae4da1cc44a437d so one can know which commands work where in haproxy ?)
I found not so simple how one can control haproxy behavior more deeply



[APK]

[Unione]


Dott. Roberto Cazzato
Sicurezza ICT e Cloud
Area Tecnica

APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





From: Igor Cicimov <[email protected]>
Sent: lunedì 9 ottobre 2017 06:38
To: mlist <[email protected]>
Cc: HAProxy <[email protected]>
Subject: Re: Set-Cookie Secure


Maybe try something like:

http-request set-var(txn.req_ssl) ssl_fc

acl https_sess var(txn.req_ssl)
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

So the first line sets transactional variable valid for the request AND response and then use it in the https_sess acl for the response.

On Sat, Oct 7, 2017 at 9:30 PM, mlist <[email protected]<mailto:[email protected]>> wrote:
I prefer to use only one frontend for all request, so I can control centrally many config
avoiding replication of rules not so simple to maintain but centralizing means to manage
not default cases, so: by default all http are converted to https if some conditions (acl)
are not meet (for applications we impose https, for web sites we leave choice, …).
We also use stick table as base for ddos control, ect, as now only basic rules and
use cookies mechanism for normal persistence and for special client side app persistence
needed to identify backend server in special situations.
In attach config file
From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>]
Sent: venerdì 6 ottobre 2017 02:11

To: mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure
Hi,
On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, some news about this ?
From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' <[email protected]<mailto:[email protected]>>
Cc: 'HAProxy' <[email protected]<mailto:[email protected]>>
Subject: RE: Set-Cookie Secure
I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option.
From: Igor Cicimov [mailto:[email protected]]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure
Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something?
On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor, I use fe_https:443-> be_http
From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <[email protected]<mailto:[email protected]>>
Cc: HAProxy <[email protected]<mailto:[email protected]>>
Subject: Re: Set-Cookie Secure
On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend:
rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present
one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache
now I need to change every response to clients to add "secure" attribute for all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:
​​
acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
Roberto
Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.
​Well no, not really. Above ^^^^^^^ I asked​ if you are (or can convert to) running two frontends, one for http and one for https, and you replied that you are not and that you are using single fe_https:443-> be_http. Are you saying you have both http and https over same 443 port?


If not and you are really running single frontend listening on both 80 and 443 for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your problem is here:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
more specific using an acl in the response that is set based on the request will not work. Try using capture or set-var instead so the value set in request time is preserved for the logic applied in the response time.
Also sending the full config with sensitive data removed can be helpful.
Sorry, only registered users may post in this forum.

Click here to login