Maybe try something like: http-request set-var(txn.req_ssl) ssl_fc
acl https_sess var(txn.req_ssl) acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie So the first line sets transactional variable valid for the request AND response and then use it in the https_sess acl for the response. On Sat, Oct 7, 2017 at 9:30 PM, mlist <[email protected]> wrote: > I prefer to use only one frontend for all request, so I can control > centrally many config > > avoiding replication of rules not so simple to maintain but centralizing > means to manage > > not default cases, so: by default all http are converted to https if some > conditions (acl) > > are not meet (for applications we impose https, for web sites we leave > choice, …). > > > > We also use stick table as base for ddos control, ect, as now only basic > rules and > > use cookies mechanism for normal persistence and for special client side > app persistence > > needed to identify backend server in special situations. > > > > In attach config file > > > > > > > > > > *From:* Igor Cicimov [mailto:[email protected]] > *Sent:* venerdì 6 ottobre 2017 02:11 > > *To:* mlist <[email protected]> > *Cc:* HAProxy <[email protected]> > *Subject:* Re: Set-Cookie Secure > > > > Hi, > > > > On Fri, Oct 6, 2017 at 2:50 AM, mlist <[email protected]> wrote: > > Hi Igor, some news about this ? > > > > *From:* mlist > *Sent:* venerdì 22 settembre 2017 08:58 > *To:* 'Igor Cicimov' <[email protected]> > *Cc:* 'HAProxy' <[email protected]> > *Subject:* RE: Set-Cookie Secure > > > > I have acl to leave some sites http (not redirected to https), so adding > secure flag on rspadd it is not an option. > > > > *From:* Igor Cicimov [mailto:[email protected] > <[email protected]>] > *Sent:* venerdì 22 settembre 2017 02:35 > *To:* mlist <[email protected]> > *Cc:* HAProxy <[email protected]> > *Subject:* Re: Set-Cookie Secure > > > > Then you can unconditionally include Secure in your "rspadd Set-Cookie > ..." since the communication between the client and HAP is always over SSL. > Or am I missing something? > > > > On Fri, Sep 22, 2017 at 10:18 AM, mlist <[email protected]> wrote: > > Hi Igor, I use fe_https:443-> be_http > > > > *From:* Igor Cicimov [mailto:[email protected]] > *Sent:* venerdì 22 settembre 2017 00:44 > *To:* rob.mlist <[email protected]> > *Cc:* HAProxy <[email protected]> > *Subject:* Re: Set-Cookie Secure > > > > > > > > On 18 Sep 2017 10:37 pm, "rob.mlist" <[email protected]> wrote: > > I set 2 cookies on behalf of Backend Servers: one with these configuration > lines at Frontend: > > > > rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 > !back_cookie_present > > rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 > !back_cookie_present > > rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 > !back_cookie_present > > > > one at Backend with these line (and Backend cookie directive on each > server): > > cookie cookie_ha_srvid insert indirect preserve nocache > > > > now I need to change every response to clients to add "secure" attribute > for all client encrypted connections. > > I applied following rules, but *no secure attribute is added to the > response*: > > > > > > > > acl https_sess ssl_fc > > acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure > > rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie > > > > > > Roberto > > Well if you are handling the requests in two different, lets call them > pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can > obviously set secure cookies for the second one only without any acl > gymnastics. > > > > Well no, not really. Above ^^^^^^^ I asked if you are (or can convert > to) running two frontends, one for http and one for https, and you replied > that you are not and that you are using single *fe_https:443-> be_http*. > Are you saying you have both http and https over same 443 port? > > > > > > > > > > > > If not and you are really running single frontend listening on both 80 and > 443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would > say that your problem is here: > > > > > > *acl https_sess ssl_fc * > > acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure > > rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie > > > > more specific using an acl in the response that is set based on the > request will not work. Try using *capture* or *set-var* instead so the > value set in request time is preserved for the logic applied in the > response time. > > > > Also sending the full config with sensitive data removed can be helpful. >
