Hi Igor, some news about this ? From: mlist Sent: venerdì 22 settembre 2017 08:58 To: 'Igor Cicimov' <ig...@encompasscorporation.com> Cc: 'HAProxy' <haproxy@formilux.org> Subject: RE: Set-Cookie Secure
I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option. From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: venerdì 22 settembre 2017 02:35 To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something? On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: Hi Igor, I use fe_https:443-> be_http From: Igor Cicimov [mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>] Sent: venerdì 22 settembre 2017 00:44 To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote: I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend: rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present one at Backend with these line (and Backend cookie directive on each server): cookie cookie_ha_srvid insert indirect preserve nocache now I need to change every response to clients to add "secure" attribute for all client encrypted connections. I applied following rules, but no secure attribute is added to the response: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie Roberto Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.