Hi, your code, as the original:
acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie works only for cookies inserted by backends server: (Backend set cookie) -> ( haproxy intercept Set-Cookie and add “secure”) -> (client receive Set-Cookie WITH secure) It doesn’t work generally for every cookie as those inserted by haproxy itself: (haproxy add a cookie with “cookie insert” or “rspadd Set-Cookie”) -> (client receive Set-Cookie WITHOUT secure) There is a stage haproxy can add secure for all cases ? Thank you PS: there is somewhere a logic schema of haproxy (as those for netfilter like these https://gist.github.com/nerdalert/a1687ae4da1cc44a437d so one can know which commands work where in haproxy ?) I found not so simple how one can control haproxy behavior more deeply [APK] [Unione] Dott. Roberto Cazzato Sicurezza ICT e Cloud Area Tecnica APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system. From: Igor Cicimov <ig...@encompasscorporation.com> Sent: lunedì 9 ottobre 2017 06:38 To: mlist <ml...@apsystems.it> Cc: HAProxy <haproxy@formilux.org> Subject: Re: Set-Cookie Secure Maybe try something like: http-request set-var(txn.req_ssl) ssl_fc acl https_sess var(txn.req_ssl) acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie So the first line sets transactional variable valid for the request AND response and then use it in the https_sess acl for the response. On Sat, Oct 7, 2017 at 9:30 PM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: I prefer to use only one frontend for all request, so I can control centrally many config avoiding replication of rules not so simple to maintain but centralizing means to manage not default cases, so: by default all http are converted to https if some conditions (acl) are not meet (for applications we impose https, for web sites we leave choice, …). We also use stick table as base for ddos control, ect, as now only basic rules and use cookies mechanism for normal persistence and for special client side app persistence needed to identify backend server in special situations. In attach config file From: Igor Cicimov [mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>] Sent: venerdì 6 ottobre 2017 02:11 To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure Hi, On Fri, Oct 6, 2017 at 2:50 AM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: Hi Igor, some news about this ? From: mlist Sent: venerdì 22 settembre 2017 08:58 To: 'Igor Cicimov' <ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>> Cc: 'HAProxy' <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: RE: Set-Cookie Secure I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option. From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: venerdì 22 settembre 2017 02:35 To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something? On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: Hi Igor, I use fe_https:443-> be_http From: Igor Cicimov [mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>] Sent: venerdì 22 settembre 2017 00:44 To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote: I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend: rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present one at Backend with these line (and Backend cookie directive on each server): cookie cookie_ha_srvid insert indirect preserve nocache now I need to change every response to clients to add "secure" attribute for all client encrypted connections. I applied following rules, but no secure attribute is added to the response: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie Roberto Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics. Well no, not really. Above ^^^^^^^ I asked if you are (or can convert to) running two frontends, one for http and one for https, and you replied that you are not and that you are using single fe_https:443-> be_http. Are you saying you have both http and https over same 443 port? If not and you are really running single frontend listening on both 80 and 443 for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your problem is here: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie more specific using an acl in the response that is set based on the request will not work. Try using capture or set-var instead so the value set in request time is preserved for the logic applied in the response time. Also sending the full config with sensitive data removed can be helpful.