[ https://issues.apache.org/jira/browse/GUACAMOLE-548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Jumper deleted GUACAMOLE-548: ------------------------------------- > Guacamole cookie does not contain the 'secure' attribute > -------------------------------------------------------- > > Key: GUACAMOLE-548 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-548 > Project: Guacamole > Issue Type: Bug > Reporter: Ross Golder > Priority: Major > Labels: security > > > One of my colleagues is doing a security audit of our internal network > services, which includes our Guacamole instance. Using 'Qualsys Freescan' he > gets the following error: > "Cookie Does not contain the 'secure' attribute." > (see attached screenshots) > The setup is a Linux VM running the latest (0.9.14) 'guacamole/guacamole' and > 'guacamole/cd' containers being an nginx SSL reverse proxy. The nginx > configuration is as per the recommended documentation: > > > {code:java} > server { > listen 443 ssl; > server_name guacamole.ourdomain.com; > ssl_certificate /etc/letsencrypt/live/guacamole.ourdomain.com/fullchain.pem; > ssl_certificate_key /etc/letsencrypt/live/guacamole.ourdomain.com/privkey.pem; > location = /auth { > proxy_pass https://...(redacted); > proxy_pass_request_body off; > proxy_set_header Content-Length ""; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > } > location / { > auth_request /auth; > proxy_pass http://guacamole-lb:8080/guacamole/; > proxy_buffering off; > proxy_http_version 1.1; > proxy_set_header Host $http_host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Protocol $scheme; > proxy_set_header Forwarded proto=$scheme; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection $http_connection; > gzip off; > } > } > {code} > > As far as I can see, Guacamole should determine that it's being served via an > https connection that it can be configured to generate 'secure' cookie > headers. I've tried adding 'X-Forwarded-Proto', 'X-Forwarded-Protocol' and > the newer 'Forwarded' headed but the cookies are issues as 'httponly' > regardless. > Please advise. -- This message was sent by Atlassian JIRA (v7.6.3#76005)