Hello, Yes, with this lines:
acl secure res.hdr(Set-Cookie),lower -m sub secure rspirep ^(Set-cookie:.*) \1;\ Secure if ! secure Lookinig for information, I arrive to this entry of the blog: https://blog.exceliance.fr/2014/01/30/how-to-protect-application-cookies-while-offloading-ssl/ which have nearly the same piece of code as above. Regards, ________________________________ > Date: Tue, 28 Jan 2014 12:18:23 +0100 > Subject: RE: Add secure to all cookies passed to the client > From: [email protected] > To: [email protected] > CC: [email protected] > > > Hi, > > You could fix this with an acl to prevent adding the secure flag if one > is present. > > Baptiste > > Le 28 janv. 2014 12:09, "Ricardo" > <[email protected]<mailto:[email protected]>> a écrit : > Thanks, It works as expected. > > A a note, if the cookie have already the secure flag, with this rule, > pass to have two secure flags, but I don't have any issue with this > behavior. > > Regards, > > > ---------------------------------------- >> Date: Sat, 25 Jan 2014 11:26:55 +0100 >> From: [email protected]<mailto:[email protected]> >> To: [email protected]<mailto:[email protected]> >> CC: [email protected]<mailto:[email protected]> >> Subject: Re: Add secure to all cookies passed to the client >> >> Hi Ricardo, >> >> On Thu, Jan 09, 2014 at 10:35:46AM +0100, Ricardo wrote: >>> Whit this conf, the result of the cookies passed to the client is this: >>> >>> Set-Cookie: JSESSIONID=1EAA38A1BD418EB1A79DD64E1AE9A407; Path=/; HttpOnly >>> Set-Cookie: WEBSERVERID=B|Us5p2|Us5p2; path=/ >>> >>> But I'm looking for secure this cookies in the haproxy:443. If I > modify the conf in the backend of this balancer with "cookie > WEBSERVERID rewrite secure", the result is the same. >>> >>> If I modify to "cookie WEBSERVERID insert secure", the result is this: >>> >>> Set-Cookie: JSESSIONID=1EAA38A1BD418EB1A79DD64E1AE9A407; Path=/; HttpOnly >>> Set-Cookie: WEBSERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; > path=/; Secure >>> >>> But I'm looking for a complete rewrite of all cookies without > loosing information and with the secure option. Is it possible? >> >> What you're talking about is rewriting cookie headers sent by the >> server. In short, you want something like this to append "Secure" >> to the Server cookies : >> >> rspirep ^(set-cookie:.*) \1;\ Secure >> >> And of course you keep the "secure" flag on your "cookie" statements. >> >> Regards, >> Willy >> >>
