Welcome! Log In Create A New Profile

Advanced

Hide a request cookie in proxy_pass

Posted by gthb 
gthb
Hide a request cookie in proxy_pass
August 29, 2014 06:00PM
Hi,

is it possible to hide one request cookie (but not all, so proxy_set_header
Cookie "" is not the way) when proxying to an upstream server?

The use case is:

* website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
hosted by Wordpress.com

* horror: MSIE will send all foo.com cookies to the subdomain too, leaking
sessions (not just to Wordpress.com but to everyone because blog.foo.com
does not support HTTPS), and there's no way to tell it not to

* proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
proxying to the hosted service (as foo.wordpress.com, which does support
HTTPS), and stripping out the parent-domain request cookies

Is there a way to do this with Nginx? A way to rewrite the Cookie header to
strip out selected cookies?

Or is the only way out of this to avoid the subdomain cookie situation
altogether, either by running www.foo.com instead of foo.com, or by
abandoning the subdomain and using e.g. foo.com/blog/ instead?

Thanks,

Gulli

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252944,252944#msg-252944

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Hide a request cookie in proxy_pass
August 29, 2014 07:30PM
Hello!

On Fri, Aug 29, 2014 at 11:55:08AM -0400, gthb wrote:

> Hi,
>
> is it possible to hide one request cookie (but not all, so proxy_set_header
> Cookie "" is not the way) when proxying to an upstream server?
>
> The use case is:
>
> * website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
> hosted by Wordpress.com
>
> * horror: MSIE will send all foo.com cookies to the subdomain too, leaking
> sessions (not just to Wordpress.com but to everyone because blog.foo.com
> does not support HTTPS), and there's no way to tell it not to
>
> * proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
> proxying to the hosted service (as foo.wordpress.com, which does support
> HTTPS), and stripping out the parent-domain request cookies
>
> Is there a way to do this with Nginx? A way to rewrite the Cookie header to
> strip out selected cookies?

With proxy_set_header you can change the header to any value,
including one with a particular cookie removed. The tricky part
is to construct new value for the original header. Something like
this should work:

set $new_cookie $http_cookie;

if ($http_cookie ~ "(.*)(?:^|;)\s*secret=[^;]+(.*)") {
set $new_cookie $1$2;
}

proxy_pset_header Cookie $new_cookie;

(Note that the above is completely untested.)

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
gthb
Re: Hide a request cookie in proxy_pass
September 02, 2014 12:20PM
Yep, works like a charm, thank you! And two consecutive ifs to strip two
cookies works as well:

set $stripped_cookie $http_cookie;
if ($http_cookie ~ "(.*)(?:^|;)\s*sessionid=[^;]+(.*)$") {
set $stripped_cookie $1$2;
}
if ($stripped_cookie ~ "(.*)(?:^|;)\s*csrftoken=[^;]+(.*)$") {
set $stripped_cookie $1$2;
}

Cheers,

Gulli

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252944,253012#msg-253012

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
jwal
Re: Hide a request cookie in proxy_pass
December 13, 2016 05:40AM
Hi,

Thanks for this; it is pretty close to what I need. I just tried it out in
the regex101.com editor and I think there might be a vulnerability:
https://regex101.com/delete/ypHV2Yw6o3wHqGDQTHRPZw3r

The client could include the same cookie name in twice. This regexp would
only strip out one of them. If the client sets a Javascript cookie with the
same name as the HttpOnly cookie you are trying to protect then they might
end up getting the secret cookie passed through to the origin server. Not
sure if you can contrive a practical attack from this observation.

I have not yet found a general solution. In my case I am using the
auth_request directive of Nginx so the auth_request service (a Python
script) can provide the value of the onward Cookie header.

Regards,

James

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270941#msg-270941

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
jwal
Re: Hide a request cookie in proxy_pass
December 13, 2016 05:40AM
Oops: this is the correct link: https://regex101.com/r/RZltB6/1

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,270942#msg-270942

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
AntoUX
Re: Hide a request cookie in proxy_pass
November 29, 2017 05:50PM
Hello,

I've found strange behaviour with this rewrite method.
When :
- there are space (%20) in the URI
And
- a cookie match regexp (and is removed)

Nginx replace ";" and " " in Cookie header with %3B%20

For example:
I want to remove "Testy" cookie.
Here is nginx sample config :
server {
set $new_cookie $http_cookie;
if ($http_cookie ~ "(.*)(?:^|;)\s*Testy=[^;]+(.*)") {
set $new_cookie $1$2;
}
if ($new_cookie ~ "^[;]+(.*)") {
set $new_cookie $1;
}
proxy_set_header Cookie $new_cookie;
proxy_pass http://www.com_backend;
}
upstream www.com_backend {
server localhost:9020;
keepalive 30;
}


With this request :
GET /api/TEST%20TEST HTTP/1.1
Cookie: country_code=FR; session=IntcI; lastvisitfor=IjIwMT%3D;
Testy=uid%08474524469%26fst%3D15118; teaser=eyJ0eXBl2; popin=eyJib3R0

Nginx remove correctly Testy cookie but forward this cookie header to
backend:
Cookie:
country_code=FR%3B%20session=IntcI%3B%20lastvisitfor=IjIwMT%3D%3B%20teaser=eyJ0eXBl2%3B%20popin=eyJib3R0

Due to the fact there are no "; " anymore, backend consider there is only
one big cookie : "country_code".

nginx version: nginx/1.12.1
OS : CentOS 6.9

Any ideas on how to fix it ?
Thanks.

Anto

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,252944,277574#msg-277574

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login