Hi Alekandar,
as I can see in the configuration documentation cookie command does not seems
to support <condition>
As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc
}" condition I get:
[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie'
supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly',
'domain', 'maxidle, and 'maxlife' options.
Also on newer version documentation I cannot see support for <condition>
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)
What you wrote was exactly what I'm looking for !
>>There are also other cockie new security specifiers such as SameSite=... ?
>Sorry I don't understand this sentence.
I mean one can use other options then only those specified in the alert above.
ie:
cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
We can "add" a flag to a cookie passing "through" haproxy with " rspirep
^(set-cookie:.*) \1;\ SameSite=strict ..."
[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] ->
[client get altered cookie]
How we can do that with cookie completely added by haproxy as we see "cookie
insert" command doesn's seems to support flags like SameSite=strict:
DOESN'T WORK
[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]
[APK]
[Unione]
mlist
APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123
- sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it>
Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle
persone sopra indicate e le informazioni in essa contenute sono da considerarsi
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever
nor disclose them to anyone else. If you are not the intended recipient, you
should not copy, modify, distribute or take any action in reliance on it. If
you have received this email in error, please notify the sender and delete this
email from your system.
-----Original Message-----
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: marted? 12 giugno 2018 19:29
To: mlist <ml...@apkappa.it>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure
Hi.
On 12/06/2018 16:23, mlist wrote:
>Hi,
>
>there is a mechanism to specify to command like:
>
>cookie <cokie_name> insert indirect preserve nocache httponly secure
>
>to insert secure only if the session is ssl ? So it is possible to use
>this command on a common http/https backend without using 2 different
>redundant backend ?
You mean something like this?
frontend http
...
default_backend common_backend
frontend https
...
default_backend common_backend
backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if {
ssl_fc }
...
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
>There are also other cockie new security specifiers such as SameSite=... ?
Sorry I don't understand this sentence.
>Thank you
>
>Rob
>
>[APK]
>
>[Unione]
>
>mlist
>
>APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
> p.iva/vat no. IT-08543640158
>sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
>24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
>tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it>
>
>Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
>personale (DL.gs. 196/03 e collegate), questa mail ? destinata
>unicamente alle persone sopra indicate e le informazioni in essa
>contenute sono da considerarsi strettamente riservate.
>
>This email is confidential, do not use the contents for any purpose
>whatsoever nor disclose them to anyone else. If you are not the
>intended recipient, you should not copy, modify, distribute or take any
>action in reliance on it. If you have received this email in error,
>please notify the sender and delete this email from your system.
HM, is the mailing list *the intended recipient* ;-) ?!
Best regards
Aleks
