Hi,
your code, as the original:
acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
works only for cookies inserted by backends server:
(Backend set cookie) -> ( haproxy intercept Set-Cookie and add “secure”) ->
(client receive Set-Cookie WITH secure)
It doesn’t work generally for every cookie as those inserted by haproxy itself:
(haproxy add a cookie with “cookie insert” or “rspadd
Set-Cookie”) -> (client receive Set-Cookie WITHOUT secure)
There is a stage haproxy can add secure for all cases ?
Thank you
PS: there is somewhere a logic schema of haproxy (as those for netfilter like
these https://gist.github.com/nerdalert/a1687ae4da1cc44a437d so one can know
which commands work where in haproxy ?)
I found not so simple how one can control haproxy behavior more deeply
[APK]
[Unione]
Dott. Roberto Cazzato
Sicurezza ICT e Cloud
Area Tecnica
APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123
- sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it>
Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle
persone sopra indicate e le informazioni in essa contenute sono da considerarsi
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever
nor disclose them to anyone else. If you are not the intended recipient, you
should not copy, modify, distribute or take any action in reliance on it. If
you have received this email in error, please notify the sender and delete this
email from your system.
From: Igor Cicimov <ig...@encompasscorporation.com>
Sent: lunedì 9 ottobre 2017 06:38
To: mlist <ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: Set-Cookie Secure
Maybe try something like:
http-request set-var(txn.req_ssl) ssl_fc
acl https_sess var(txn.req_ssl)
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
So the first line sets transactional variable valid for the request AND
response and then use it in the https_sess acl for the response.
On Sat, Oct 7, 2017 at 9:30 PM, mlist
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
I prefer to use only one frontend for all request, so I can control centrally
many config
avoiding replication of rules not so simple to maintain but centralizing means
to manage
not default cases, so: by default all http are converted to https if some
conditions (acl)
are not meet (for applications we impose https, for web sites we leave choice,
…).
We also use stick table as base for ddos control, ect, as now only basic rules
and
use cookies mechanism for normal persistence and for special client side app
persistence
needed to identify backend server in special situations.
In attach config file
From: Igor Cicimov
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 6 ottobre 2017 02:11
To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
Hi,
On Fri, Oct 6, 2017 at 2:50 AM, mlist
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, some news about this ?
From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov'
<ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>>
Cc: 'HAProxy' <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: RE: Set-Cookie Secure
I have acl to leave some sites http (not redirected to https), so adding secure
flag on rspadd it is not an option.
From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
Then you can unconditionally include Secure in your "rspadd Set-Cookie ..."
since the communication between the client and HAP is always over SSL. Or am I
missing something?
On Fri, Sep 22, 2017 at 10:18 AM, mlist
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, I use fe_https:443-> be_http
From: Igor Cicimov
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
On 18 Sep 2017 10:37 pm, "rob.mlist"
<rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration
lines at Frontend:
rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1
!back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4
!back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10
!back_cookie_present
one at Backend with these line (and Backend cookie directive on each server):
cookie cookie_ha_srvid insert indirect preserve nocache
now I need to change every response to clients to add "secure" attribute for
all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:
acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
Roberto
Well if you are handling the requests in two different, lets call them
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
obviously set secure cookies for the second one only without any acl gymnastics.
Well no, not really. Above ^^^^^^^ I asked if you are (or can convert to)
running two frontends, one for http and one for https, and you replied that you
are not and that you are using single fe_https:443-> be_http. Are you saying
you have both http and https over same 443 port?
If not and you are really running single frontend listening on both 80 and 443
for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your
problem is here:
acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
more specific using an acl in the response that is set based on the request
will not work. Try using capture or set-var instead so the value set in request
time is preserved for the logic applied in the response time.
Also sending the full config with sensitive data removed can be helpful.
