Hello Baptiste,
Of course, this is the long explanation:
First of all, this is a scheme of the infraestructure, and the cookies inserted
in every stage:
Internet --> haproxy:443 https --> haproxy:80 http -->
application-backend:80
Internet <-- none <-- WEBSERVERID <-- JSESSIONID
The haproxy:443 is used only as a ssl termination, and redirect all the traffic
to the haproxy:80 whit this (part of) configuration:
frontend proxy-ssl
bind IP:443 name https ssl crt /etc/haproxy/certs/cert-ca.pem ciphers
RC4:HIGH:!aNULL:!MD5
mode http
option httplog
option httpclose
reqadd X-Proto:\ SSL
...
default_backend back-http
backend back-http
timeout server 3s
server bal1 IP:80
The haproxy:80 receive the traffic from the haproxy:443 and from Internet too,
this is the other part of the configuration:
frontend proxy-http
bind IP:80
mode http
option httplog
option httpclose
option forwardfor
...
default_backend backend-http
backend backend-http
timeout server 3s
option httpchk GET /testing
http-check expect string RUN
cookie WEBSERVERID insert maxidle 60m maxlife 180m indirect
server web1 IP:80 cookie A check inter 5s fastinter 1s downinter 1s
rise 2 fall 2
server web2 IP:80 cookie B check inter 5s fastinter 1s downinter 1s
rise 2 fall 2
server web3 IP:80 cookie C check inter 5s fastinter 1s downinter 1s
rise 2 fall 2
server web4 IP:80 cookie D check inter 5s fastinter 1s downinter 1s
rise 2 fall 2
server web5 IP:80 cookie E check inter 5s fastinter 1s downinter 1s
rise 2 fall 2
Whit this conf, the result of the cookies passed to the client is this:
Set-Cookie: JSESSIONID=1EAA38A1BD418EB1A79DD64E1AE9A407; Path=/; HttpOnly
Set-Cookie: WEBSERVERID=B|Us5p2|Us5p2; path=/
But I'm looking for secure this cookies in the haproxy:443. If I modify the
conf in the backend of this balancer with "cookie WEBSERVERID rewrite secure",
the result is the same.
If I modify to "cookie WEBSERVERID insert secure", the result is this:
Set-Cookie: JSESSIONID=1EAA38A1BD418EB1A79DD64E1AE9A407; Path=/; HttpOnly
Set-Cookie: WEBSERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; Secure
But I'm looking for a complete rewrite of all cookies without loosing
information and with the secure option. Is it possible?
Thanks,
----------------------------------------
> Date: Wed, 8 Jan 2014 17:14:02 +0100
> Subject: Re: Add secure to all cookies passed to the client
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
> Hi Ricardo,
>
> Could you please send us an example of before/after modification?
> Cause I can't see what you want to modify.
>
> Baptiste
>
>
> On Wed, Jan 8, 2014 at 5:09 PM, Ricardo <[email protected]> wrote:
>> Hello,
>>
>>
>> I am using HA-Proxy version 1.5-dev19 2013/06/17 for ssl termination, behind
>> that, there are other haproxy balancing over 5 servers in http.
>>
>> This bottom http haproxy insert the usually cookie "WEBSERVER" for stick the
>> connections to the proper backend. Like this:
>>
>> Set-Cookie: WEBSERVERID=V|Us1vO|Us1vO; path=/
>>
>> But, in the top https haproxy, I want to add the "secure" attribute to the
>> cookie provided by the bottom http haproxy and others provided by the
>> application, like JSESSIONID.
>>
>> How can I add "secure" to all cookies passed to the client?
>>
>>
>> Thanks,
>>
>> Ricardo F.
>
