[jira] [Created] (GUACAMOLE-548) Guacamole cookie does not contain the 'secure' attribute

Wed, 18 Apr 2018 03:15:19 -0700 

Ross Golder created GUACAMOLE-548:
-------------------------------------

             Summary: Guacamole cookie does not contain the 'secure' attribute
                 Key: GUACAMOLE-548
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-548
             Project: Guacamole
          Issue Type: Bug
    Affects Versions: 0.9.14
            Reporter: Ross Golder
         Attachments: Screen Shot 2018-04-17 at 11.26.22.png

 

One of my colleagues is doing a security audit of our internal network 
services, which includes our Guacamole instance. Using 'Qualsys Freescan' he 
gets the following error:

"Cookie Does not contain the 'secure' attribute."

(see attached screenshots)

The setup is a Linux VM running the latest (0.9.14) 'guacamole/guacamole' and 
'guacamole/cd' containers being an nginx SSL reverse proxy. The nginx 
configuration is as per the recommended documentation:

 

 
{code:java}
server {
listen 443 ssl;
server_name guacamole.ourdomain.com;

ssl_certificate /etc/letsencrypt/live/guacamole.ourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guacamole.ourdomain.com/privkey.pem;

location = /auth {
proxy_pass https://...(redacted);
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
auth_request /auth;
proxy_pass http://guacamole-lb:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Forwarded proto=$scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
gzip off;
}
}

{code}
 

As far as I can see, Guacamole should determine that it's being served via an 
https connection that it can be configured to generate 'secure' cookie headers. 
I've tried adding 'X-Forwarded-Proto', 'X-Forwarded-Protocol' and the newer 
'Forwarded' headed but the cookies are issues as 'httponly' regardless.

Please advise.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to