I prefer to use only one frontend for all request, so I can control centrally many config avoiding replication of rules not so simple to maintain but centralizing means to manage not default cases, so: by default all http are converted to https if some conditions (acl) are not meet (for applications we impose https, for web sites we leave choice, …).
We also use stick table as base for ddos control, ect, as now only basic rules and use cookies mechanism for normal persistence and for special client side app persistence needed to identify backend server in special situations. In attach config file From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: venerdì 6 ottobre 2017 02:11 To: mlist <ml...@apsystems.it> Cc: HAProxy <haproxy@formilux.org> Subject: Re: Set-Cookie Secure Hi, On Fri, Oct 6, 2017 at 2:50 AM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: Hi Igor, some news about this ? From: mlist Sent: venerdì 22 settembre 2017 08:58 To: 'Igor Cicimov' <ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>> Cc: 'HAProxy' <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: RE: Set-Cookie Secure I have acl to leave some sites http (not redirected to https), so adding secure flag on rspadd it is not an option. From: Igor Cicimov [mailto:ig...@encompasscorporation.com] Sent: venerdì 22 settembre 2017 02:35 To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." since the communication between the client and HAP is always over SSL. Or am I missing something? On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote: Hi Igor, I use fe_https:443-> be_http From: Igor Cicimov [mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>] Sent: venerdì 22 settembre 2017 00:44 To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>> Subject: Re: Set-Cookie Secure On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote: I set 2 cookies on behalf of Backend Servers: one with these configuration lines at Frontend: rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 !back_cookie_present rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/ if id_web10 !back_cookie_present one at Backend with these line (and Backend cookie directive on each server): cookie cookie_ha_srvid insert indirect preserve nocache now I need to change every response to clients to add "secure" attribute for all client encrypted connections. I applied following rules, but no secure attribute is added to the response: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie Roberto Well if you are handling the requests in two different, lets call them pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can obviously set secure cookies for the second one only without any acl gymnastics. Well no, not really. Above ^^^^^^^ I asked if you are (or can convert to) running two frontends, one for http and one for https, and you replied that you are not and that you are using single fe_https:443-> be_http. Are you saying you have both http and https over same 443 port? If not and you are really running single frontend listening on both 80 and 443 for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your problem is here: acl https_sess ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie more specific using an acl in the response that is set based on the request will not work. Try using capture or set-var instead so the value set in request time is preserved for the logic applied in the response time. Also sending the full config with sensitive data removed can be helpful.
haproxy.cfg
Description: haproxy.cfg