Hi all.
A frontend listen both for HTTP and for HTTPS.
It should set the "Secure" attribute to the cookies over the encypted
channel and not on the others.
Here are the relevant lines of the configuration
frontend XXX-FE
bind 10.64.44.160:80 name HTTP
bind 10.64.44.160:443 name HTTPS ssl crt /etc/ssl/private/XXX.pem
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-response set-header Strict-Transport-Security max-age=16000000;\
includeSubDomains if { ssl_fc }
http-response replace-header Set-Cookie (.*) \1;\ Secure if { ssl_fc }
use_backend XXX if { path_beg -i /AAA }
backend XXX
mode http
cookie rs insert indirect nocache httponly maxidle 1h
server serverA 10.64.44.155:80 check cookie A
server serverB 10.64.44.156:80 check cookie B
Testing with curl https://someserver/something.aspx the response has the
following headers
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 12450
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET=1hj2c; path=/; HttpOnly; Secure <- from server
X-Powered-By: ASP.NET
Date: Wed, 26 Jul 2017 14:40:11 GMT
Strict-Transport-Security: max-age=16000000; includeSubDomains
Set-Cookie: rs=A|WXipz; path=/; HttpOnly <- from haproxy
It seems that the "Set-Cookie" coming from the real server correctly has
the "Secure" attribute set by the frontend, while the load-balancing one
does not.
Is this the expected behaviour?
Thank you
.marcoc
