Welcome! Log In Create A New Profile

Advanced

cookie insert method secure

Posted by mlist 
mlist
cookie insert method secure
June 12, 2018 06:30PM
Hi,

there is a mechanism to specify to command like:



cookie <cokie_name> insert indirect preserve nocache httponly secure



to insert secure only if the session is ssl ? So it is possible to use this command on a common http/https backend without using 2 different redundant backend ?



There are also other cockie new security specifiers such as SameSite=… ?





Thank you



Rob


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
Aleksandar Lazic
Re: cookie insert method secure
June 12, 2018 07:40PM
Hi.

On 12/06/2018 16:23, mlist wrote:
>Hi,
>
>there is a mechanism to specify to command like:
>
>cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>to insert secure only if the session is ssl ? So it is possible to use
>this command on a common http/https backend without using 2 different
>redundant backend ?

You mean something like this?

frontend http
...
default_backend common_backend

frontend https
...
default_backend common_backend

backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
...

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc

>There are also other cockie new security specifiers such as SameSite=… ?

Sorry I don't understand this sentence.

>Thank you
>
>Rob
>
>[APK]
>
>[Unione]
>
>mlist
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
> p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa..it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail è destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.

HM, is the mailing list *the intended recipient* ;-) ?!

Best regards
Aleks
mlist
RE: cookie insert method secure
June 12, 2018 08:10PM
Hi Alekandar,

as I can see in the configuration documentation cookie command does not seems to support <condition>
As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:

[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.

Also on newer version documentation I cannot see support for <condition>

http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

What you wrote was exactly what I'm looking for !

>>There are also other cockie new security specifiers such as SameSite=.... ?

>Sorry I don't understand this sentence.

I mean one can use other options then only those specified in the alert above. ie:

cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict

We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."

[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]

How we can do that with cookie completely added by haproxy as we see "cookie insert" command doesn's seems to support flags like SameSite=strict:

DOESN'T WORK
[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





-----Original Message-----
From: Aleksandar Lazic <[email protected]>
Sent: marted? 12 giugno 2018 19:29
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

Hi.

On 12/06/2018 16:23, mlist wrote:
>Hi,
>
>there is a mechanism to specify to command like:
>
>cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>to insert secure only if the session is ssl ? So it is possible to use
>this command on a common http/https backend without using 2 different
>redundant backend ?

You mean something like this?

frontend http
...
default_backend common_backend

frontend https
...
default_backend common_backend

backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
...

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc

>There are also other cockie new security specifiers such as SameSite=... ?

Sorry I don't understand this sentence.

>Thank you
>
>Rob
>
>[APK]
>
>[Unione]
>
>mlist
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
> p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.

HM, is the mailing list *the intended recipient* ;-) ?!

Best regards
Aleks
Aleksandar Lazic
Re: cookie insert method secure
June 12, 2018 11:40PM
Hi.

On 12/06/2018 18:05, mlist wrote:
>Hi Alekandar,
>
>as I can see in the configuration documentation cookie command does not
>seems to support <condition>
>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>
>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>
>Also on newer version documentation I cannot see support for <condition>
>
>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

Ah you are right I haven't thought that this keyword can't work with
conditions.

>What you wrote was exactly what I'm looking for !
>
>>>There are also other cockie new security specifiers such as SameSite=... ?
>
>>Sorry I don't understand this sentence.
>
>I mean one can use other options then only those specified in the alert above. ie:
>
> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>
>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>
>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>
>How we can do that with cookie completely added by haproxy as we see
>"cookie insert" command doesn's seems to support flags like
>SameSite=strict:
>
>DOESN'T WORK
>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]

How about to handle this with http-request

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response

e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }

The insert, indirect, preserve and nocache is a little bit complicated.

You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

e.g.:

# untested
cookie <cokie_name> insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

Maybe you can take a look into the code how the cookie is created ;-)

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: marted? 12 giugno 2018 19:29
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>Hi.
>
>On 12/06/2018 16:23, mlist wrote:
>>Hi,
>>
>>there is a mechanism to specify to command like:
>>
>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>
>>to insert secure only if the session is ssl ? So it is possible to use
>>this command on a common http/https backend without using 2 different
>>redundant backend ?
>
>You mean something like this?
>
>frontend http
> ...
> default_backend common_backend
>
>frontend https
> ...
> default_backend common_backend
>
>backend common_backend
> ...
> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
> ...
>
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>
>>There are also other cockie new security specifiers such as SameSite=... ?
>
>Sorry I don't understand this sentence.
>
>>Thank you
>>
>>Rob
>>
>>[APK]
>>
>>[Unione]
>>
>>mlist
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>> p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>unicamente alle persone sopra indicate e le informazioni in essa
>>contenute sono da considerarsi strettamente riservate.
>>
>>This email is confidential, do not use the contents for any purpose
>>whatsoever nor disclose them to anyone else. If you are not the
>>intended recipient, you should not copy, modify, distribute or take any
>>action in reliance on it. If you have received this email in error,
>>please notify the sender and delete this email from your system.
>
>HM, is the mailing list *the intended recipient* ;-) ?!
>
>Best regards
>Aleks
Sorry, only registered users may post in this forum.

Click here to login