Hi Igor, some news about this ? From: mlist Sent: venerdì 22 settembre 2017 08:58 To: 'Igor Cicimov' <[email protected]> Cc: 'HAProxy' <[email protected]> Subject: RE: Set-Cookie Secure
I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option. From: Igor Cicimov [mailto:[email protected]] Sent: venerdì 22 settembre 2017 02:35 To: mlist <[email protected]<mailto:[email protected]>> Cc: HAProxy <[email protected]<mailto:[email protected]>> Subject: Re: Set-Cookie Secure Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something? On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]<mailto:[email protected]>> wrote: Hi Igor, I use fe_https:443-> be_http From: Igor Cicimov [mailto:[email protected]<mailto:[email protected]>] Sent: venerdì 22 settembre 2017 00:44 To: rob.mlist <[email protected]<mailto:[email protected]>> Cc: HAProxy <[email protected]<mailto:[email protected]>> Subject: Re: Set-Cookie Secure On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]<mailto:[email protected]>> wrote: I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend: rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present one at Backend with these line (and Backend cookie directive on each server): cookie cookie_ha_srvid insert indirect preserve nocache now I need to change every response to clients to add "secure" attribute for all client encrypted connections. I applied following rules, but no secure attribute is added to the response: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie Roberto Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics.
