Welcome! Log In Create A New Profile

Advanced

cookie insert method secure

Posted by mlist 
mlist
cookie insert method secure
June 12, 2018 06:30PM
Hi,

there is a mechanism to specify to command like:



cookie <cokie_name> insert indirect preserve nocache httponly secure



to insert secure only if the session is ssl ? So it is possible to use this command on a common http/https backend without using 2 different redundant backend ?



There are also other cockie new security specifiers such as SameSite=… ?





Thank you



Rob


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
Aleksandar Lazic
Re: cookie insert method secure
June 12, 2018 07:40PM
Hi.

On 12/06/2018 16:23, mlist wrote:
>Hi,
>
>there is a mechanism to specify to command like:
>
>cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>to insert secure only if the session is ssl ? So it is possible to use
>this command on a common http/https backend without using 2 different
>redundant backend ?

You mean something like this?

frontend http
...
default_backend common_backend

frontend https
...
default_backend common_backend

backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
...

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc

>There are also other cockie new security specifiers such as SameSite=… ?

Sorry I don't understand this sentence.

>Thank you
>
>Rob
>
>[APK]
>
>[Unione]
>
>mlist
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
> p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa..it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail è destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.

HM, is the mailing list *the intended recipient* ;-) ?!

Best regards
Aleks
mlist
RE: cookie insert method secure
June 12, 2018 08:10PM
Hi Alekandar,

as I can see in the configuration documentation cookie command does not seems to support <condition>
As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:

[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.

Also on newer version documentation I cannot see support for <condition>

http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

What you wrote was exactly what I'm looking for !

>>There are also other cockie new security specifiers such as SameSite=.... ?

>Sorry I don't understand this sentence.

I mean one can use other options then only those specified in the alert above. ie:

cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict

We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."

[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]

How we can do that with cookie completely added by haproxy as we see "cookie insert" command doesn's seems to support flags like SameSite=strict:

DOESN'T WORK
[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





-----Original Message-----
From: Aleksandar Lazic <[email protected]>
Sent: marted? 12 giugno 2018 19:29
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

Hi.

On 12/06/2018 16:23, mlist wrote:
>Hi,
>
>there is a mechanism to specify to command like:
>
>cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>to insert secure only if the session is ssl ? So it is possible to use
>this command on a common http/https backend without using 2 different
>redundant backend ?

You mean something like this?

frontend http
...
default_backend common_backend

frontend https
...
default_backend common_backend

backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
...

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc

>There are also other cockie new security specifiers such as SameSite=... ?

Sorry I don't understand this sentence.

>Thank you
>
>Rob
>
>[APK]
>
>[Unione]
>
>mlist
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
> p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.

HM, is the mailing list *the intended recipient* ;-) ?!

Best regards
Aleks
Aleksandar Lazic
Re: cookie insert method secure
June 12, 2018 11:40PM
Hi.

On 12/06/2018 18:05, mlist wrote:
>Hi Alekandar,
>
>as I can see in the configuration documentation cookie command does not
>seems to support <condition>
>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>
>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>
>Also on newer version documentation I cannot see support for <condition>
>
>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

Ah you are right I haven't thought that this keyword can't work with
conditions.

>What you wrote was exactly what I'm looking for !
>
>>>There are also other cockie new security specifiers such as SameSite=... ?
>
>>Sorry I don't understand this sentence.
>
>I mean one can use other options then only those specified in the alert above. ie:
>
> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>
>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>
>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>
>How we can do that with cookie completely added by haproxy as we see
>"cookie insert" command doesn's seems to support flags like
>SameSite=strict:
>
>DOESN'T WORK
>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]

How about to handle this with http-request

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response

e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }

The insert, indirect, preserve and nocache is a little bit complicated.

You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

e.g.:

# untested
cookie <cokie_name> insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

Maybe you can take a look into the code how the cookie is created ;-)

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: marted? 12 giugno 2018 19:29
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>Hi.
>
>On 12/06/2018 16:23, mlist wrote:
>>Hi,
>>
>>there is a mechanism to specify to command like:
>>
>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>
>>to insert secure only if the session is ssl ? So it is possible to use
>>this command on a common http/https backend without using 2 different
>>redundant backend ?
>
>You mean something like this?
>
>frontend http
> ...
> default_backend common_backend
>
>frontend https
> ...
> default_backend common_backend
>
>backend common_backend
> ...
> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
> ...
>
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>
>>There are also other cockie new security specifiers such as SameSite=... ?
>
>Sorry I don't understand this sentence.
>
>>Thank you
>>
>>Rob
>>
>>[APK]
>>
>>[Unione]
>>
>>mlist
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>> p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>unicamente alle persone sopra indicate e le informazioni in essa
>>contenute sono da considerarsi strettamente riservate.
>>
>>This email is confidential, do not use the contents for any purpose
>>whatsoever nor disclose them to anyone else. If you are not the
>>intended recipient, you should not copy, modify, distribute or take any
>>action in reliance on it. If you have received this email in error,
>>please notify the sender and delete this email from your system.
>
>HM, is the mailing list *the intended recipient* ;-) ?!
>
>Best regards
>Aleks
mlist
RE: cookie insert method secure
June 23, 2018 04:50PM
>>> You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
>>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

>>> e.g.:

>>> # untested
>>> cookie <cokie_name> insert indirect preserve nocache httponly
>>> http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

>>> Maybe you can take a look into the code how the cookie is created ;-)

It is necessary to "not set Cookie secure" (in response to the client) not deleting secure on the request.

cookie inserted for session management by "cookie <cookie name> insert..." keyword is managed directly by haproxy. Without possibility to add "secure" flag with condition (or use other haproxy mechanism) none can use haproxy being compliant with cookie security without doing a separate backend for each special case (impractical).




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





-----Original Message-----
From: Aleksandar Lazic <[email protected]>
Sent: martedì 12 giugno 2018 23:29
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

Hi.

On 12/06/2018 18:05, mlist wrote:
>Hi Alekandar,
>
>as I can see in the configuration documentation cookie command does not
>seems to support <condition>
>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>
>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>
>Also on newer version documentation I cannot see support for <condition>
>
>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)

Ah you are right I haven't thought that this keyword can't work with
conditions.

>What you wrote was exactly what I'm looking for !
>
>>>There are also other cockie new security specifiers such as SameSite=.... ?
>
>>Sorry I don't understand this sentence.
>
>I mean one can use other options then only those specified in the alert above. ie:
>
> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>
>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>
>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>
>How we can do that with cookie completely added by haproxy as we see
>"cookie insert" command doesn's seems to support flags like
>SameSite=strict:
>
>DOESN'T WORK
>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]

How about to handle this with http-request

https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response

e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }

The insert, indirect, preserve and nocache is a little bit complicated.

You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request

e.g.:

# untested
cookie <cokie_name> insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2

Maybe you can take a look into the code how the cookie is created ;-)

http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: marted? 12 giugno 2018 19:29
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>Hi.
>
>On 12/06/2018 16:23, mlist wrote:
>>Hi,
>>
>>there is a mechanism to specify to command like:
>>
>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>
>>to insert secure only if the session is ssl ? So it is possible to use
>>this command on a common http/https backend without using 2 different
>>redundant backend ?
>
>You mean something like this?
>
>frontend http
> ...
> default_backend common_backend
>
>frontend https
> ...
> default_backend common_backend
>
>backend common_backend
> ...
> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
> ...
>
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>
>>There are also other cockie new security specifiers such as SameSite=.... ?
>
>Sorry I don't understand this sentence.
>
>>Thank you
>>
>>Rob
>>
>>[APK]
>>
>>[Unione]
>>
>>mlist
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>> p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>unicamente alle persone sopra indicate e le informazioni in essa
>>contenute sono da considerarsi strettamente riservate.
>>
>>This email is confidential, do not use the contents for any purpose
>>whatsoever nor disclose them to anyone else. If you are not the
>>intended recipient, you should not copy, modify, distribute or take any
>>action in reliance on it. If you have received this email in error,
>>please notify the sender and delete this email from your system.
>
>HM, is the mailing list *the intended recipient* ;-) ?!
>
>Best regards
>Aleks
Aleksandar Lazic
Re: cookie insert method secure
June 24, 2018 01:30AM
On 23/06/2018 14:42, mlist wrote:
>>>> You can use the `cookie` keyword and then remove the cookie with
>>>> http-request before you send it to the backend
>>>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>
>>>> e.g.:
>
>>>> # untested
>>>> cookie <cokie_name> insert indirect preserve nocache httponly
>>>> http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>
>>>> Maybe you can take a look into the code how the cookie is created ;-)
>
>It is necessary to "not set Cookie secure" (in response to the client)
>not deleting secure on the request.
>
>cookie inserted for session management by "cookie <cookie name>
>insert..." keyword is managed directly by haproxy.
>
>Without possibility to add "secure" flag with condition (or use other
>haproxy mechanism) none can use haproxy being compliant with cookie
>security without doing a separate backend for each special case
>(impractical).

I don't know any other solution.
Can't you use ansible or any other tool to setup the backends
automatically?

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>www.apkappa.ithttp://www.apkappa.it
>
>
>
>
>
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
>
>
>
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: martedì 12 giugno 2018 23:29
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>Hi.
>
>On 12/06/2018 18:05, mlist wrote:
>>Hi Alekandar,
>>
>>as I can see in the configuration documentation cookie command does not
>>seems to support <condition>
>>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>>
>>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>>
>>Also on newer version documentation I cannot see support for <condition>
>>
>>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)
>
>Ah you are right I haven't thought that this keyword can't work with
>conditions.
>
>>What you wrote was exactly what I'm looking for !
>>
>>>>There are also other cockie new security specifiers such as SameSite=.... ?
>>
>>>Sorry I don't understand this sentence.
>>
>>I mean one can use other options then only those specified in the alert above. ie:
>>
>> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>>
>>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>>
>>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>>
>>How we can do that with cookie completely added by haproxy as we see
>>"cookie insert" command doesn's seems to support flags like
>>SameSite=strict:
>>
>>DOESN'T WORK
>>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]
>
>How about to handle this with http-request
>
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response
>
>e. g.:
># The regex matches the first string before ';'
>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }
>
>The insert, indirect, preserve and nocache is a little bit complicated.
>
>You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>
>e.g.:
>
># untested
>cookie <cokie_name> insert indirect preserve nocache httponly
>http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>
>Maybe you can take a look into the code how the cookie is created ;-)
>
>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880
>
>Best regards
>Aleks
>
>>[APK]
>>
>>[Unione]
>>
>>
>>mlist
>>
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>unicamente alle persone sopra indicate e le informazioni in essa
>>contenute sono da considerarsi strettamente riservate.
>>This email is confidential, do not use the contents for any purpose
>>whatsoever nor disclose them to anyone else. If you are not the
>>intended recipient, you should not copy, modify, distribute or take any
>>action in reliance on it. If you have received this email in error,
>>please notify the sender and delete this email from your system.
>>
>>
>>-----Original Message-----
>>From: Aleksandar Lazic <[email protected]>
>>Sent: marted? 12 giugno 2018 19:29
>>To: mlist <[email protected]>
>>Cc: haproxy@formilux.org
>>Subject: Re: cookie insert method secure
>>
>>Hi.
>>
>>On 12/06/2018 16:23, mlist wrote:
>>>Hi,
>>>
>>>there is a mechanism to specify to command like:
>>>
>>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>>
>>>to insert secure only if the session is ssl ? So it is possible to use
>>>this command on a common http/https backend without using 2 different
>>>redundant backend ?
>>
>>You mean something like this?
>>
>>frontend http
>> ...
>> default_backend common_backend
>>
>>frontend https
>> ...
>> default_backend common_backend
>>
>>backend common_backend
>> ...
>> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
>> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
>> ...
>>
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>>
>>>There are also other cockie new security specifiers such as SameSite=.... ?
>>
>>Sorry I don't understand this sentence.
>>
>>>Thank you
>>>
>>>Rob
>>>
>>>[APK]
>>>
>>>[Unione]
>>>
>>>mlist
>>>
>>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>>> p.iva/vat no. IT-08543640158
>>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>>
>>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>>unicamente alle persone sopra indicate e le informazioni in essa
>>>contenute sono da considerarsi strettamente riservate.
>>>
>>>This email is confidential, do not use the contents for any purpose
>>>whatsoever nor disclose them to anyone else. If you are not the
>>>intended recipient, you should not copy, modify, distribute or take any
>>>action in reliance on it. If you have received this email in error,
>>>please notify the sender and delete this email from your system.
>>
>>HM, is the mailing list *the intended recipient* ;-) ?!
>>
>>Best regards
>>Aleks
mlist
RE: cookie insert method secure
June 24, 2018 09:40AM
Ansible does automation cannot change internal haproxy behavior. There is possibility to ask a bug or feature request to developers ?

Roberto



[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





-----Original Message-----
From: Aleksandar Lazic <[email protected]>
Sent: domenica 24 giugno 2018 01:20
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

On 23/06/2018 14:42, mlist wrote:
>>>> You can use the `cookie` keyword and then remove the cookie with
>>>> http-request before you send it to the backend
>>>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>
>>>> e.g.:
>
>>>> # untested
>>>> cookie <cokie_name> insert indirect preserve nocache httponly
>>>> http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>
>>>> Maybe you can take a look into the code how the cookie is created ;-)
>
>It is necessary to "not set Cookie secure" (in response to the client)
>not deleting secure on the request.
>
>cookie inserted for session management by "cookie <cookie name>
>insert..." keyword is managed directly by haproxy.
>
>Without possibility to add "secure" flag with condition (or use other
>haproxy mechanism) none can use haproxy being compliant with cookie
>security without doing a separate backend for each special case
>(impractical).

I don't know any other solution.
Can't you use ansible or any other tool to setup the backends
automatically?

Best regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>www.apkappa.ithttp://www.apkappa.it
>
>
>
>
>
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
>
>
>
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: martedì 12 giugno 2018 23:29
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>Hi.
>
>On 12/06/2018 18:05, mlist wrote:
>>Hi Alekandar,
>>
>>as I can see in the configuration documentation cookie command does not
>>seems to support <condition>
>>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>>
>>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>>
>>Also on newer version documentation I cannot see support for <condition>
>>
>>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)
>
>Ah you are right I haven't thought that this keyword can't work with
>conditions.
>
>>What you wrote was exactly what I'm looking for !
>>
>>>>There are also other cockie new security specifiers such as SameSite=.... ?
>>
>>>Sorry I don't understand this sentence.
>>
>>I mean one can use other options then only those specified in the alert above. ie:
>>
>> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>>
>>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>>
>>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>>
>>How we can do that with cookie completely added by haproxy as we see
>>"cookie insert" command doesn's seems to support flags like
>>SameSite=strict:
>>
>>DOESN'T WORK
>>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]
>
>How about to handle this with http-request
>
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response
>
>e. g.:
># The regex matches the first string before ';'
>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }
>
>The insert, indirect, preserve and nocache is a little bit complicated.
>
>You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>
>e.g.:
>
># untested
>cookie <cokie_name> insert indirect preserve nocache httponly
>http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>
>Maybe you can take a look into the code how the cookie is created ;-)
>
>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880
>
>Best regards
>Aleks
>
>>[APK]
>>
>>[Unione]
>>
>>
>>mlist
>>
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>unicamente alle persone sopra indicate e le informazioni in essa
>>contenute sono da considerarsi strettamente riservate.
>>This email is confidential, do not use the contents for any purpose
>>whatsoever nor disclose them to anyone else. If you are not the
>>intended recipient, you should not copy, modify, distribute or take any
>>action in reliance on it. If you have received this email in error,
>>please notify the sender and delete this email from your system.
>>
>>
>>-----Original Message-----
>>From: Aleksandar Lazic <[email protected]>
>>Sent: marted? 12 giugno 2018 19:29
>>To: mlist <[email protected]>
>>Cc: haproxy@formilux.org
>>Subject: Re: cookie insert method secure
>>
>>Hi.
>>
>>On 12/06/2018 16:23, mlist wrote:
>>>Hi,
>>>
>>>there is a mechanism to specify to command like:
>>>
>>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>>
>>>to insert secure only if the session is ssl ? So it is possible to use
>>>this command on a common http/https backend without using 2 different
>>>redundant backend ?
>>
>>You mean something like this?
>>
>>frontend http
>> ...
>> default_backend common_backend
>>
>>frontend https
>> ...
>> default_backend common_backend
>>
>>backend common_backend
>> ...
>> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
>> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
>> ...
>>
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>>
>>>There are also other cockie new security specifiers such as SameSite=.... ?
>>
>>Sorry I don't understand this sentence.
>>
>>>Thank you
>>>
>>>Rob
>>>
>>>[APK]
>>>
>>>[Unione]
>>>
>>>mlist
>>>
>>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>>> p.iva/vat no. IT-08543640158
>>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa..it
>>>
>>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>>unicamente alle persone sopra indicate e le informazioni in essa
>>>contenute sono da considerarsi strettamente riservate.
>>>
>>>This email is confidential, do not use the contents for any purpose
>>>whatsoever nor disclose them to anyone else. If you are not the
>>>intended recipient, you should not copy, modify, distribute or take any
>>>action in reliance on it. If you have received this email in error,
>>>please notify the sender and delete this email from your system.
>>
>>HM, is the mailing list *the intended recipient* ;-) ?!
>>
>>Best regards
>>Aleks
Igor Cicimov
Re: cookie insert method secure
June 24, 2018 11:00AM
On Wed, Jun 13, 2018 at 2:23 AM, mlist <[email protected]> wrote:

> Hi,
>
> there is a mechanism to specify to command like:
>
>
>
> cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>
>
> to insert secure only if the session is ssl ? So it is possible to use
> this command on a common http/https backend without using 2 different
> redundant backend ?
>
> ​You can use variables, set one for ssl and act upon in the backend as
needed.​


>
>
> There are also other cockie new security specifiers such as SameSite=… ?
>
>
>
>
>
> Thank you
>
>
>
> Rob
>
>
> *[image: APK]*
>
>
>
> *[image: Unione]*
>
>
>
>
>
> *mlist *
>
>
>
> *APKAPPA s.r.l. *sede legale Via F. Albani, 21
> https://maps.google.com/?q=Via+F.+Albani,+21+20149+Milano&entry=gmail&source=g
> 20149 Milano
> https://maps.google.com/?q=Via+F.+Albani,+21+20149+Milano&entry=gmail&source=g
> | p.iva/vat no. IT-08543640158
>
> sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A
> 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
> tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it
>
>
>
>
>
>
> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
> personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente
> alle persone sopra indicate e le informazioni in essa contenute sono
> da considerarsi strettamente riservate.
>
> This email is confidential, do not use the contents for any purpose
> whatsoever nor disclose them to anyone else. If you are not the intended
> recipient, you should not copy, modify, distribute or take any action in
> reliance on it. If you have received this email in error, please notify the
> sender and delete this email from your system.
>
>
>
>
>
>
>


--
Igor Cicimov | DevOps


p. +61 (0) 433 078 728
e. igorc@encompasscorporation.com http://encompasscorporation.com/
w*.* www.encompasscorporation.com
a. Level 4, 65 York Street, Sydney 2000
Aleksandar Lazic
Re: cookie insert method secure
June 24, 2018 11:00AM
On 24/06/2018 07:33, mlist wrote:
>Ansible does automation cannot change internal haproxy behavior.

That's right but you can create the backends via ansible or any other
script, just an idea.

>There is possibility to ask a bug or feature request to developers ?

A lot is possible.

Please keep in mind that this is a opensource project and the best way
to add feature's into this project is to contribute via patches ;-)

>Roberto

Regards
Aleks

>[APK]
>
>[Unione]
>
>
>mlist
>
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>www.apkappa.ithttp://www.apkappa.it
>
>
>
>
>
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
>This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
>
>
>
>
>
>-----Original Message-----
>From: Aleksandar Lazic <[email protected]>
>Sent: domenica 24 giugno 2018 01:20
>To: mlist <[email protected]>
>Cc: haproxy@formilux.org
>Subject: Re: cookie insert method secure
>
>On 23/06/2018 14:42, mlist wrote:
>>>>> You can use the `cookie` keyword and then remove the cookie with
>>>>> http-request before you send it to the backend
>>>>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>>
>>>>> e.g.:
>>
>>>>> # untested
>>>>> cookie <cokie_name> insert indirect preserve nocache httponly
>>>>> http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>>
>>>>> Maybe you can take a look into the code how the cookie is created ;-)
>>
>>It is necessary to "not set Cookie secure" (in response to the client)
>>not deleting secure on the request.
>>
>>cookie inserted for session management by "cookie <cookie name>
>>insert..." keyword is managed directly by haproxy.
>>
>>Without possibility to add "secure" flag with condition (or use other
>>haproxy mechanism) none can use haproxy being compliant with cookie
>>security without doing a separate backend for each special case
>>(impractical).
>
>I don't know any other solution.
>Can't you use ansible or any other tool to setup the backends
>automatically?
>
>Best regards
>Aleks
>
>>[APK]
>>
>>[Unione]
>>
>>
>>mlist
>>
>>
>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>www.apkappa.ithttp://www.apkappa.it
>>
>>
>>
>>
>>
>>
>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
>>This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
>>
>>
>>
>>
>>
>>-----Original Message-----
>>From: Aleksandar Lazic <[email protected]>
>>Sent: martedì 12 giugno 2018 23:29
>>To: mlist <[email protected]>
>>Cc: haproxy@formilux.org
>>Subject: Re: cookie insert method secure
>>
>>Hi.
>>
>>On 12/06/2018 18:05, mlist wrote:
>>>Hi Alekandar,
>>>
>>>as I can see in the configuration documentation cookie command does not
>>>seems to support <condition>
>>>As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
>>>
>>>[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options.
>>>
>>>Also on newer version documentation I cannot see support for <condition>
>>>
>>>http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)
>>
>>Ah you are right I haven't thought that this keyword can't work with
>>conditions.
>>
>>>What you wrote was exactly what I'm looking for !
>>>
>>>>>There are also other cockie new security specifiers such as SameSite=... ?
>>>
>>>>Sorry I don't understand this sentence.
>>>
>>>I mean one can use other options then only those specified in the alert above. ie:
>>>
>>> cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
>>>
>>>We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..."
>>>
>>>[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie]
>>>
>>>How we can do that with cookie completely added by haproxy as we see
>>>"cookie insert" command doesn's seems to support flags like
>>>SameSite=strict:
>>>
>>>DOESN'T WORK
>>>[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]
>>
>>How about to handle this with http-request
>>
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response
>>
>>e. g.:
>># The regex matches the first string before ';'
>>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict" if !{ ssl_fc }
>>http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict; Secure" if { ssl_fc }
>>
>>The insert, indirect, preserve and nocache is a little bit complicated.
>>
>>You can use the `cookie` keyword and then remove the cookie with http-request before you send it to the backend
>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
>>
>>e.g.:
>>
>># untested
>>cookie <cokie_name> insert indirect preserve nocache httponly
>>http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
>>
>>Maybe you can take a look into the code how the cookie is created ;-)
>>
>>http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880
>>
>>Best regards
>>Aleks
>>
>>>[APK]
>>>
>>>[Unione]
>>>
>>>
>>>mlist
>>>
>>>
>>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
>>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>>
>>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>>unicamente alle persone sopra indicate e le informazioni in essa
>>>contenute sono da considerarsi strettamente riservate.
>>>This email is confidential, do not use the contents for any purpose
>>>whatsoever nor disclose them to anyone else. If you are not the
>>>intended recipient, you should not copy, modify, distribute or take any
>>>action in reliance on it. If you have received this email in error,
>>>please notify the sender and delete this email from your system.
>>>
>>>
>>>-----Original Message-----
>>>From: Aleksandar Lazic <[email protected]>
>>>Sent: marted? 12 giugno 2018 19:29
>>>To: mlist <[email protected]>
>>>Cc: haproxy@formilux.org
>>>Subject: Re: cookie insert method secure
>>>
>>>Hi.
>>>
>>>On 12/06/2018 16:23, mlist wrote:
>>>>Hi,
>>>>
>>>>there is a mechanism to specify to command like:
>>>>
>>>>cookie <cokie_name> insert indirect preserve nocache httponly secure
>>>>
>>>>to insert secure only if the session is ssl ? So it is possible to use
>>>>this command on a common http/https backend without using 2 different
>>>>redundant backend ?
>>>
>>>You mean something like this?
>>>
>>>frontend http
>>> ...
>>> default_backend common_backend
>>>
>>>frontend https
>>> ...
>>> default_backend common_backend
>>>
>>>backend common_backend
>>> ...
>>> cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
>>> cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc }
>>> ...
>>>
>>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
>>>https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>>>
>>>>There are also other cockie new security specifiers such as SameSite=.... ?
>>>
>>>Sorry I don't understand this sentence.
>>>
>>>>Thank you
>>>>
>>>>Rob
>>>>
>>>>[APK]
>>>>
>>>>[Unione]
>>>>
>>>>mlist
>>>>
>>>>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
>>>> p.iva/vat no. IT-08543640158
>>>>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>>>>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>>>>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it
>>>>
>>>>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>>>>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>>>>unicamente alle persone sopra indicate e le informazioni in essa
>>>>contenute sono da considerarsi strettamente riservate.
>>>>
>>>>This email is confidential, do not use the contents for any purpose
>>>>whatsoever nor disclose them to anyone else. If you are not the
>>>>intended recipient, you should not copy, modify, distribute or take any
>>>>action in reliance on it. If you have received this email in error,
>>>>please notify the sender and delete this email from your system.
>>>
>>>HM, is the mailing list *the intended recipient* ;-) ?!
>>>
>>>Best regards
>>>Aleks
mlist
RE: cookie insert method secure
June 24, 2018 03:40PM
Hi Igor,
as I see, this is not true.

I think ssl_fs is just persisted between request and response as this work fine without setting vars (as for below example), but never works for cookie header inserted by “cookie <name> insert …”. It seems that cookie insert method override every other set cookie methods (probably applied as last operation on the flow):

acl https_sess ssl_fc
acl secure_c_present res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secure_c_present

using vars instead doesn’t works, I tested trying to adding a header like this. It seems that this var is always false/null/empty:

http-request set-var(txn.req_ssl) ssl_fc
acl is_test var(txn.req_ssl)
http-response set-header XXX-TEST-OPTIONS TEST1 if is_test

is_test is never true as “http-request set-var(txn.req_ssl) ssl” is never what one think… if iI’m not wrong…




[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





From: Igor Cicimov <[email protected]>
Sent: domenica 24 giugno 2018 10:54
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure


On Wed, Jun 13, 2018 at 2:23 AM, mlist <[email protected]<mailto:[email protected]>> wrote:

Hi,

there is a mechanism to specify to command like:



cookie <cokie_name> insert indirect preserve nocache httponly secure



to insert secure only if the session is ssl ? So it is possible to use this command on a common http/https backend without using 2 different redundant backend ?
​You can use variables, set one for ssl and act upon in the backend as needed.​




There are also other cockie new security specifiers such as SameSite=… ?





Thank you



Rob

[Image removed by sender. APK]

[Image removed by sender. Unione]


mlist

APKAPPA s.r.l. sede legale Via F. Albani, 21https://maps.google.com/?q=Via+F.+Albani,+21+20149+Milano&entry=gmail&source=g 20149 Milanohttps://maps.google.com/?q=Via+F.+Albani,+21+20149+Milano&entry=gmail&source=g | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.







--
Igor Cicimov | DevOps

[Image removed by sender.]

p. +61 (0) 433 078 728
e. igorc@encompasscorporation.comhttp://encompasscorporation.com/
w. www.encompasscorporation.comhttp://www.encompasscorporation.com
a. Level 4, 65 York Street, Sydney 2000
Attachments:
open | download - image001.jpg (440 bytes)
open | download - image002.jpg (405 bytes)
open | download - image003.jpg (425 bytes)
Igor Cicimov
Re: cookie insert method secure
June 25, 2018 06:20AM
On Sun, Jun 24, 2018 at 11:28 PM, mlist <[email protected]> wrote:

> Hi Igor,
>
> as I see, this is not true.
>
>
>
> I think ssl_fs is just persisted between request and response as this work
> fine without setting vars (as for below example), *but never works for
> cookie header inserted by “cookie <name> insert* …”. It seems that cookie
> insert method override every other set cookie methods (probably applied as
> last operation on the flow):
>
>
>
> acl https_sess ssl_fc
>
> acl secure_c_present res.hdr(Set-Cookie),lower -m sub secure
>
> rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secure_c_present
>
>
>
> using vars instead doesn’t works, I tested trying to adding a header like
> this. It seems that this var is always false/null/empty:
>
>
>
> http-request set-var(txn.req_ssl) ssl_fc
>
> acl is_test var(txn.req_ssl)
>
> http-response set-header XXX-TEST-OPTIONS TEST1 if is_test
>
>
>
> is_test is never true as “http-request set-var(txn.req_ssl) ssl” is never
> what one think… if iI’m not wrong…
>
>
>

​You need to use the var as type bool in this case, this is from one of my
setups:​

​frontend:​
http-request set-var(txn.req_api) bool(true) if tx_is_api

backend:
acl api_call var(txn.req_api) -m bool​
mlist
RE: cookie insert method secure
June 25, 2018 09:40AM
Thank you for the help on bool var(…). Hard to find in documentation… Now also var(…) as ssl_fc do persist for txn (request/response). I tried adding an header based on the var persisted as bool and it worked, but as per straight “acl https_sess ssl_fc” also rspirep (or http-response) based on var(…) cannot modify Set-Cookie header inserted by “cookie <name> insert…” method.
As I wrote, probably cookie insert method override any other response manipulation in the flow. Hard for me to read source code to verify this behavior. As now we changed configuration using 2 separate backend one for http (cookie… insert) one for https (cookie… insert… secure).
It’ll be very useful a more flexible cookie insert method: with <condition>, with possibility to be modified in http-response phase end with possibility to add new cookie flags for security (ex: samesite) as new security standard emerge.
How do you verify your variables memory consumption ? I cannot find a stat or method to verify variables not using lot of memory.
Roberto


[APK]

[Unione]


mlist


APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.ithttp://www.apkappa.it






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.





From: Igor Cicimov <[email protected]>
Sent: lunedì 25 giugno 2018 06:12
To: mlist <[email protected]>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure

On Sun, Jun 24, 2018 at 11:28 PM, mlist <[email protected]<mailto:[email protected]>> wrote:
Hi Igor,
as I see, this is not true.

I think ssl_fs is just persisted between request and response as this work fine without setting vars (as for below example), but never works for cookie header inserted by “cookie <name> insert …”. It seems that cookie insert method override every other set cookie methods (probably applied as last operation on the flow):

acl https_sess ssl_fc
acl secure_c_present res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secure_c_present

using vars instead doesn’t works, I tested trying to adding a header like this. It seems that this var is always false/null/empty:

http-request set-var(txn.req_ssl) ssl_fc
acl is_test var(txn.req_ssl)
http-response set-header XXX-TEST-OPTIONS TEST1 if is_test

is_test is never true as “http-request set-var(txn.req_ssl) ssl” is never what one think… if iI’m not wrong…


​You need to use the var as type bool in this case, this is from one of my setups:​

​frontend:​
http-request set-var(txn.req_api) bool(true) if tx_is_api

backend:
acl api_call var(txn.req_api) -m bool​
Sorry, only registered users may post in this forum.

Click here to login