On 23/06/2018 14:42, mlist wrote:
You can use the `cookie` keyword and then remove the cookie with
http-request before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
e.g.:
# untested
cookie <cokie_name> insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
Maybe you can take a look into the code how the cookie is created ;-)
It is necessary to "not set Cookie secure" (in response to the client)
not deleting secure on the request.
cookie inserted for session management by "cookie <cookie name>
insert..." keyword is managed directly by haproxy.
Without possibility to add "secure" flag with condition (or use other
haproxy mechanism) none can use haproxy being compliant with cookie
security without doing a separate backend for each special case
(impractical).
I don't know any other solution.
Can't you use ansible or any other tool to setup the backends
automatically?
Best regards
Aleks
[APK]
[Unione]
mlist
APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123
- sede operativa Magenta (MI) via Milano 89/91 20013
www.apkappa.it<http://www.apkappa.it>
Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle
persone sopra indicate e le informazioni in essa contenute sono da considerarsi
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever
nor disclose them to anyone else. If you are not the intended recipient, you
should not copy, modify, distribute or take any action in reliance on it. If
you have received this email in error, please notify the sender and delete this
email from your system.
-----Original Message-----
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: martedì 12 giugno 2018 23:29
To: mlist <ml...@apkappa.it>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure
Hi.
On 12/06/2018 18:05, mlist wrote:
Hi Alekandar,
as I can see in the configuration documentation cookie command does not
seems to support <condition>
As now I use HA-Proxy version 1.8-dev0-530141f 2017/03/02 if I set "if { ssl_fc
}" condition I get:
[ALERT] 162/194855 (10704) : parsing [/etc/haproxy/haproxy.cfg:657] : 'cookie'
supports 'rewrite', 'insert', 'prefix', 'indirect', 'nocache', 'postonly',
'domain', 'maxidle, and 'maxlife' options.
Also on newer version documentation I cannot see support for <condition>
http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#cookie%20(Alphabetically%20sorted%20keywords%20reference)
Ah you are right I haven't thought that this keyword can't work with
conditions.
What you wrote was exactly what I'm looking for !
There are also other cockie new security specifiers such as SameSite=... ?
Sorry I don't understand this sentence.
I mean one can use other options then only those specified in the alert above.
ie:
cookie <cookie_name> insert indirect preserve nocache httponly SameSite=strict
We can "add" a flag to a cookie passing "through" haproxy with " rspirep
^(set-cookie:.*) \1;\ SameSite=strict ..."
[backend set a cookie] -> [haproxy add SameSite=strict to passing cookie] ->
[client get altered cookie]
How we can do that with cookie completely added by haproxy as we see
"cookie insert" command doesn's seems to support flags like
SameSite=strict:
DOESN'T WORK
[haproxy cookie insert SameSite=strict] -> [client get inserted cookie flag]
How about to handle this with http-request
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response
e. g.:
# The regex matches the first string before ';'
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly;
SameSite=strict" if !{ ssl_fc }
http-response replace-header Set-Cookie ([^;]*);(.*) "\1; HttpOnly; SameSite=strict;
Secure" if { ssl_fc }
The insert, indirect, preserve and nocache is a little bit complicated.
You can use the `cookie` keyword and then remove the cookie with http-request
before you send it to the backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-request
e.g.:
# untested
cookie <cokie_name> insert indirect preserve nocache httponly
http-request replace-header Cookie cokie_name=([^~]*)(.*) cokie_name=\2
Maybe you can take a look into the code how the cookie is created ;-)
http://git.haproxy.org/?p=haproxy.git;a=blob;f=src/proto_http.c;hb=fd9655c54dc504f75afea9c45b3a34ffaba73db4#l5880
Best regards
Aleks
[APK]
[Unione]
mlist
APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no.
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123
- sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it>
Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs. 196/03 e collegate), questa mail ? destinata
unicamente alle persone sopra indicate e le informazioni in essa
contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose
whatsoever nor disclose them to anyone else. If you are not the
intended recipient, you should not copy, modify, distribute or take any
action in reliance on it. If you have received this email in error,
please notify the sender and delete this email from your system.
-----Original Message-----
From: Aleksandar Lazic <al-hapr...@none.at>
Sent: marted? 12 giugno 2018 19:29
To: mlist <ml...@apkappa.it>
Cc: haproxy@formilux.org
Subject: Re: cookie insert method secure
Hi.
On 12/06/2018 16:23, mlist wrote:
Hi,
there is a mechanism to specify to command like:
cookie <cokie_name> insert indirect preserve nocache httponly secure
to insert secure only if the session is ssl ? So it is possible to use
this command on a common http/https backend without using 2 different
redundant backend ?
You mean something like this?
frontend http
...
default_backend common_backend
frontend https
...
default_backend common_backend
backend common_backend
...
cookie <cokie_name> insert indirect preserve nocache httponly if !{ ssl_fc }
cookie <cokie_name> insert indirect preserve nocache httponly secure if {
ssl_fc }
...
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-default_backend
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4-ssl_fc
There are also other cockie new security specifiers such as SameSite=... ?
Sorry I don't understand this sentence.
Thank you
Rob
[APK]
[Unione]
mlist
APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano |
p.iva/vat no. IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi,
24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013
tel. 02 91712 000 | fax 02 91712 339 www.apkappa.it<http://www.apkappa.it>
Ai sensi e per gli effetti della Legge sulla tutela della riservatezza
personale (DL.gs. 196/03 e collegate), questa mail ? destinata
unicamente alle persone sopra indicate e le informazioni in essa
contenute sono da considerarsi strettamente riservate.
This email is confidential, do not use the contents for any purpose
whatsoever nor disclose them to anyone else. If you are not the
intended recipient, you should not copy, modify, distribute or take any
action in reliance on it. If you have received this email in error,
please notify the sender and delete this email from your system.
HM, is the mailing list *the intended recipient* ;-) ?!
Best regards
Aleks
