Hi Alekandar, as I can see in the configuration documentation cookie command does not seems to support <condition> As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc }" condition I get:
[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie' supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly', 'domain', 'maxidle, and 'maxlife' options. Also on newer version documentation I cannot see support for <condition> http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference) What you wrote was exactly what I'm looking for ! >>There are also other cockie new security specifiers such as SameSite=... ? >Sorry I don't understand this sentence. I mean one can use other options then only those specified in the alert above. ie: cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict We can "add" a flag to a cookie passing "through" haproxy with " rspirep ^(set-cookie:.*) \1;\ SameSite=strict ..." [backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] -> [client get altered cookie] How we can do that with cookie completely added by haproxy as we see "cookie insert" command doesn's seems to support flags like SameSite=strict: DOESN'T WORK [haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag] [APK] [Unione] mlist APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system. -----Original Message----- From: Aleksandar Lazic <al-hapr...@none.at> Sent: marted? 12 giugno 2018 19:29 To: mlist <ml...@apkappa.it> Cc: haproxy@formilux.org Subject: Re: cookie insert method secure Hi. On 12/06/2018 16:23, mlist wrote: >Hi, > >there is a mechanism to specify to command like: > >cookie <cokie_name> insert indirect preserve nocache httponly secure > >to insert secure only if the session is ssl ? So it is possible to use >this command on a common http/https backend without using 2 different >redundant backend ? You mean something like this? frontend http ... default_backend common_backend frontend https ... default_backend common_backend backend common_backend ... cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc } cookie <cokie_name> insert indirect preserve nocache httponly secure if { ssl_fc } ... https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc >There are also other cockie new security specifiers such as SameSite=... ? Sorry I don't understand this sentence. >Thank you > >Rob > >[APK] > >[Unione] > >mlist > >APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | > p.iva/vat no. IT-08543640158 >sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, >24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 >tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it> > >Ai sensi e per gli effetti della Legge sulla tutela della riservatezza >personale (DL.gs. 196/03 e collegate), questa mail ? destinata >unicamente alle persone sopra indicate e le informazioni in essa >contenute sono da considerarsi strettamente riservate. > >This email is confidential, do not use the contents for any purpose >whatsoever nor disclose them to anyone else. If you are not the >intended recipient, you should not copy, modify, distribute or take any >action in reliance on it. If you have received this email in error, >please notify the sender and delete this email from your system. HM, is the mailing list *the intended recipient* ;-) ?! Best regards Aleks