Hi, On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]> wrote:
> Hi Igor, some news about this ? > > > > *From:* mlist > *Sent:* venerdì 22 settembre 2017 08:58 > *To:* 'Igor Cicimov' <[email protected]> > *Cc:* 'HAProxy' <[email protected]> > *Subject:* RE: Set-Cookie Secure > > > > I have acl to leave some sites http (not redirected to https), so adding > secure flag on rspadd it is not an option. > > > > *From:* Igor Cicimov [mailto:[email protected] > <[email protected]>] > *Sent:* venerdì 22 settembre 2017 02:35 > *To:* mlist <[email protected]> > *Cc:* HAProxy <[email protected]> > *Subject:* Re: Set-Cookie Secure > > > > Then you can unconditionally include Secure in your "rspadd Set-Cookie > ..." since the communication between the client and HAP is always over SSL. > Or am I missing something? > > > > On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]> wrote: > > Hi Igor, I use fe_https:443-> be_http > > > > *From:* Igor Cicimov [mailto:[email protected]] > *Sent:* venerdì 22 settembre 2017 00:44 > *To:* rob.mlist <[email protected]> > *Cc:* HAProxy <[email protected]> > *Subject:* Re: Set-Cookie Secure > > > > > > > > On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote: > > I set 2 cookies on behalf of Backend Servers: one with these configuration > lines at Frontend: > > > > rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 > !back_cookie_present > > rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 > !back_cookie_present > > rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 > !back_cookie_present > > > > one at Backend with these line (and Backend cookie directive on each > server): > > cookie cookie_ha_srvid insert indirect preserve nocache > > > > now I need to change every response to clients to add "secure" attribute > for all client encrypted connections. > > I applied following rules, but *no secure attribute is added to the > response*: > > > > > > acl https_sess ssl_fc > > acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure > > rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie > > > > > > Roberto > > Well if you are handling the requests in two different, lets call them > pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can > obviously set secure cookies for the second one only without any acl > gymnastics. > > > > Well no, not really. Above ^^^^^^^ I asked if you are (or can convert to) running two frontends, one for http and one for https, and you replied that you are not and that you are using single *fe_https:443-> be_http*. Are you saying you have both http and https over same 443 port? If not and you are really running single frontend listening on both 80 and 443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would say that your problem is here: *acl https_sess ssl_fc * acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie more specific using an acl in the response that is set based on the request will not work. Try using *capture* or *set-var* instead so the value set in request time is preserved for the logic applied in the response time. Also sending the full config with sensitive data removed can be helpful.
