Thank you for the help on bool var(…). Hard to find in documentation… Now also var(…) as ssl_fc do persist for txn (request/response). I tried adding an header based on the var persisted as bool and it worked, but as per straight “acl https_sess ssl_fc” also rspirep (or http-response) based on var(…) cannot modify Set-Cookie header inserted by “cookie <name> insert…” method. As I wrote, probably cookie insert method override any other response manipulation in the flow. Hard for me to read source code to verify this behavior. As now we changed configuration using 2 separate backend one for http (cookie… insert) one for https (cookie… insert… secure). It’ll be very useful a more flexible cookie insert method: with <condition>, with possibility to be modified in http-response phase end with possibility to add new cookie flags for security (ex: samesite) as new security standard emerge. How do you verify your variables memory consumption ? I cannot find a stat or method to verify variables not using lot of memory. Roberto
[APK] [Unione] mlist APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system. From: Igor Cicimov <ig...@encompasscorporation.com> Sent: lunedì 25 giugno 2018 06:12 To: mlist <ml...@apkappa.it> Cc: haproxy@formilux.org Subject: Re: cookie insert method secure On Sun, Jun 24, 2018 at 11:28 PM, mlist <ml...@apkappa.it<mailto:ml...@apkappa.it>> wrote: Hi Igor, as I see, this is not true. I think ssl_fs is just persisted between request and response as this work fine without setting vars (as for below example), but never works for cookie header inserted by “cookie <name> insert …”. It seems that cookie insert method override every other set cookie methods (probably applied as last operation on the flow): acl https_sess ssl_fc acl secure_c_present res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secure_c_present using vars instead doesn’t works, I tested trying to adding a header like this. It seems that this var is always false/null/empty: http-request set-var(txn.req_ssl) ssl_fc acl is_test var(txn.req_ssl) http-response set-header XXX-TEST-OPTIONS TEST1 if is_test is_test is never true as “http-request set-var(txn.req_ssl) ssl” is never what one think… if iI’m not wrong… You need to use the var as type bool in this case, this is from one of my setups: frontend: http-request set-var(txn.req_api) bool(true) if tx_is_api backend: acl api_call var(txn.req_api) -m bool