RE: Set-Cookie Secure

2018-06-07 Thread Roberto Cazzato 
Hi,

your code, as the original:

acl https_sess ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

works only for cookies inserted by backends server:
(Backend set cookie) -> ( haproxy intercept Set-Cookie and add “secure”) -> 
(client receive Set-Cookie WITH secure)

It doesn’t work generally for every cookie as those inserted by haproxy itself:
(haproxy add a cookie with “cookie insert” or “rspadd 
Set-Cookie”) -> (client receive Set-Cookie WITHOUT secure)

There is a stage haproxy can add secure for all cases ?

Thank you

PS: there is somewhere a logic schema of haproxy (as those for netfilter like 
these https://gist.github.com/nerdalert/a1687ae4da1cc44a437d so one can know 
which commands work where in haproxy ?)
  I found not so simple how one can control haproxy behavior more deeply



[APK]

[Unione]


Dott. Roberto Cazzato
Sicurezza ICT e Cloud
Area Tecnica

APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. 
IT-08543640158
sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 
- sede operativa Magenta (MI) via Milano 89/91 20013
tel.  02 91712 000 | fax  02 91712 339 www.apkappa.it<http://www.apkappa.it>






Ai sensi e per gli effetti della Legge sulla tutela della riservatezza 
personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle 
persone sopra indicate e le informazioni in essa contenute sono da considerarsi 
strettamente riservate.
This email is confidential, do not use the contents for any purpose whatsoever 
nor disclose them to anyone else. If you are not the intended recipient, you 
should not copy, modify, distribute or take any action in reliance on it. If 
you have received this email in error, please notify the sender and delete this 
email from your system.





From: Igor Cicimov 
Sent: lunedì 9 ottobre 2017 06:38
To: mlist 
Cc: HAProxy 
Subject: Re: Set-Cookie Secure


Maybe try something like:

http-request set-var(txn.req_ssl) ssl_fc

acl https_sess var(txn.req_ssl)
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

So the first line sets transactional variable valid for the request AND 
response and then use it in the https_sess acl for the response.

On Sat, Oct 7, 2017 at 9:30 PM, mlist 
mailto:ml...@apsystems.it>> wrote:
I prefer to use only one frontend for all request, so I can control centrally 
many config
avoiding replication of rules not so simple to maintain but centralizing means 
to manage
not default cases, so: by default all http are converted to https if some 
conditions (acl)
are not meet (for applications we impose https, for web sites we leave choice, 
…).
We also use stick table as base for ddos control, ect, as now only basic rules 
and
use cookies mechanism for normal persistence and for special client side app 
persistence
needed to identify backend server in special situations.
In attach config file
From: Igor Cicimov 
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 6 ottobre 2017 02:11

To: mlist mailto:ml...@apsystems.it>>
Cc: HAProxy mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
Hi,
On Fri, Oct 6, 2017 at 2:50 AM, mlist 
mailto:ml...@apsystems.it>> wrote:
Hi Igor, some news about this ?
From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' 
mailto:ig...@encompasscorporation.com>>
Cc: 'HAProxy' mailto:haproxy@formilux.org>>
Subject: RE: Set-Cookie Secure
I have acl to leave some sites http (not redirected to https), so adding secure 
flag on rspadd it is not an option.
From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 02:35
To: mlist mailto:ml...@apsystems.it>>
Cc: HAProxy mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." 
since the communication between the client and HAP is always over SSL. Or am I 
missing something?
On Fri, Sep 22, 2017 at 10:18 AM, mlist 
mailto:ml...@apsystems.it>> wrote:
Hi Igor, I use fe_https:443-> be_http
From: Igor Cicimov 
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist mailto:rob.ml...@apsystems.it>>
Cc: HAProxy mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure
On 18 Sep 2017 10:37 pm, "rob.mlist" 
mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration 
lines at Frontend:
rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/ if id_web1 
!back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/ if id_web4 
!back_cookie_present
rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ pat

Re: Set-Cookie Secure

2017-10-08 Thread Igor Cicimov 
Maybe try something like:

   http-request set-var(txn.req_ssl) ssl_fc

   acl https_sess var(txn.req_ssl)
   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

So the first line sets transactional variable valid for the request AND
response and then use it in the https_sess acl for the response.

On Sat, Oct 7, 2017 at 9:30 PM, mlist <ml...@apsystems.it> wrote:

> I prefer to use only one frontend for all request, so I can control
> centrally many config
>
> avoiding replication of rules not so simple to maintain but centralizing
> means to manage
>
> not default cases, so: by default all http are converted to https if some
> conditions (acl)
>
> are not meet (for applications we impose https, for web sites we leave
> choice, …).
>
>
>
> We also use stick table as base for ddos control, ect, as now only basic
> rules and
>
> use cookies mechanism for normal persistence and for special client side
> app persistence
>
> needed to identify backend server in special situations.
>
>
>
> In attach config file
>
>
>
>
>
>
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com]
> *Sent:* venerdì 6 ottobre 2017 02:11
>
> *To:* mlist <ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Hi,
>
>
>
> On Fri, Oct 6, 2017 at 2:50 AM, mlist <ml...@apsystems.it> wrote:
>
> Hi Igor, some news about this ?
>
>
>
> *From:* mlist
> *Sent:* venerdì 22 settembre 2017 08:58
> *To:* 'Igor Cicimov' <ig...@encompasscorporation.com>
> *Cc:* 'HAProxy' <haproxy@formilux.org>
> *Subject:* RE: Set-Cookie Secure
>
>
>
> I have acl to leave some sites http (not redirected to https), so adding
> secure flag on rspadd it is not an option.
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com
> <ig...@encompasscorporation.com>]
> *Sent:* venerdì 22 settembre 2017 02:35
> *To:* mlist <ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Then you can unconditionally include Secure in your "rspadd Set-Cookie
> ..." since the communication between the client and HAP is always over SSL.
> Or am I missing something?
>
>
>
> On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it> wrote:
>
> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <rob.ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
>rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
>cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
>
>
> ​​
>
> acl https_sess ssl_fc
>
>acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
>rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>
> ​Well no, not really. Above ^^^ I asked​ if you are (or can convert
> to) running two frontends, one for http and one for https, and you replied
> that you are not and that you are using single *fe_https:443-> be_http*.
> Are you saying you have both http and https over same 443 port?
>
> ​
>
>
>
> ​
>
>
>
>
>
> If not and you are really running single frontend listening on both 80 and
> 443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would
> say that your problem is here:
>
>
>
> ​
>
> *acl https_sess ssl_fc *
>
>  acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
>  rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie
>
>
>
> more specific using an acl in the response that is set based on the
> request will not work. Try using *capture* or *set-var* instead so the
> value set in request time is preserved for the logic applied in the
> response time.
>
>
>
> Also sending the full config with sensitive data removed can be helpful.
>

RE: Set-Cookie Secure

2017-10-07 Thread mlist 
I prefer to use only one frontend for all request, so I can control centrally 
many config
avoiding replication of rules not so simple to maintain but centralizing means 
to manage
not default cases, so: by default all http are converted to https if some 
conditions (acl)
are not meet (for applications we impose https, for web sites we leave choice, 
…).

We also use stick table as base for ddos control, ect, as now only basic rules 
and
use cookies mechanism for normal persistence and for special client side app 
persistence
needed to identify backend server in special situations.

In attach config file




From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 6 ottobre 2017 02:11
To: mlist <ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: Set-Cookie Secure

Hi,

On Fri, Oct 6, 2017 at 2:50 AM, mlist 
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, some news about this ?

From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' 
<ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>>
Cc: 'HAProxy' <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: RE: Set-Cookie Secure

I have acl to leave some sites http (not redirected to https), so adding secure 
flag on rspadd it is not an option.

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." 
since the communication between the client and HAP is always over SSL. Or am I 
missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist 
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov 
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" 
<rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration 
lines at Frontend:

   rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10 
!back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
   cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for 
all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:


​​
acl https_sess ssl_fc
   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them 
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can 
obviously set secure cookies for the second one only without any acl gymnastics.

​Well no, not really. Above ^^^ I asked​ if you are (or can convert to) 
running two frontends, one for http and one for https, and you replied that you 
are not and that you are using single fe_https:443-> be_http. Are you saying 
you have both http and https over same 443 port?
​

​


If not and you are really running single frontend listening on both 80 and 443 
for http/https, i.e. fe_https:(80,443) -> be_http setup, I would say that your 
problem is here:

​
acl https_sess ssl_fc
 acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
 rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie

more specific using an acl in the response that is set based on the request 
will not work. Try using capture or set-var instead so the value set in request 
time is preserved for the logic applied in the response time.

Also sending the full config with sensitive data removed can be helpful.






haproxy.cfg
Description: haproxy.cfg

Re: Set-Cookie Secure

2017-10-05 Thread Igor Cicimov 
Hi,

On Fri, Oct 6, 2017 at 2:50 AM, mlist <ml...@apsystems.it> wrote:

> Hi Igor, some news about this ?
>
>
>
> *From:* mlist
> *Sent:* venerdì 22 settembre 2017 08:58
> *To:* 'Igor Cicimov' <ig...@encompasscorporation.com>
> *Cc:* 'HAProxy' <haproxy@formilux.org>
> *Subject:* RE: Set-Cookie Secure
>
>
>
> I have acl to leave some sites http (not redirected to https), so adding
> secure flag on rspadd it is not an option.
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com
> <ig...@encompasscorporation.com>]
> *Sent:* venerdì 22 settembre 2017 02:35
> *To:* mlist <ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
> Then you can unconditionally include Secure in your "rspadd Set-Cookie
> ..." since the communication between the client and HAP is always over SSL.
> Or am I missing something?
>
>
>
> On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it> wrote:
>
> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <rob.ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
>rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
>cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
>
> ​​
> acl https_sess ssl_fc
>
>acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
>rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>
> ​Well no, not really. Above ^^^ I asked​ if you are (or can convert
to) running two frontends, one for http and one for https, and you replied
that you are not and that you are using single *fe_https:443-> be_http*.
Are you saying you have both http and https over same 443 port?
​

​


If not and you are really running single frontend listening on both 80 and
443 for http/https, i.e. *fe_https:(80,443) -> be_http *setup, I would say
that your problem is here:

​
*acl https_sess ssl_fc *

 acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure

 rspirep ^(set-cookie:.*) \1;\ Secure if *https_sess* !secured_cookie


more specific using an acl in the response that is set based on the request
will not work. Try using *capture* or *set-var* instead so the value set in
request time is preserved for the logic applied in the response time.

Also sending the full config with sensitive data removed can be helpful.

RE: Set-Cookie Secure

2017-10-05 Thread mlist 
Hi Igor, some news about this ?

From: mlist
Sent: venerdì 22 settembre 2017 08:58
To: 'Igor Cicimov' <ig...@encompasscorporation.com>
Cc: 'HAProxy' <haproxy@formilux.org>
Subject: RE: Set-Cookie Secure

I have acl to leave some sites http (not redirected to https), so adding secure 
flag on rspadd it is not an option.

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <ml...@apsystems.it<mailto:ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." 
since the communication between the client and HAP is always over SSL. Or am I 
missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist 
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov 
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" 
<rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration 
lines at Frontend:

   rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10 
!back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
   cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for 
all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

   acl https_sess ssl_fc
   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them 
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can 
obviously set secure cookies for the second one only without any acl gymnastics.

RE: Set-Cookie Secure

2017-09-22 Thread mlist 
I have acl to leave some sites http (not redirected to https), so adding secure 
flag on rspadd it is not an option.

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 02:35
To: mlist <ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: Set-Cookie Secure

Then you can unconditionally include Secure in your "rspadd Set-Cookie ..." 
since the communication between the client and HAP is always over SSL. Or am I 
missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist 
<ml...@apsystems.it<mailto:ml...@apsystems.it>> wrote:
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov 
[mailto:ig...@encompasscorporation.com<mailto:ig...@encompasscorporation.com>]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>>
Cc: HAProxy <haproxy@formilux.org<mailto:haproxy@formilux.org>>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" 
<rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration 
lines at Frontend:

   rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10 
!back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
   cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for 
all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

   acl https_sess ssl_fc
   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them 
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can 
obviously set secure cookies for the second one only without any acl gymnastics.

Re: Set-Cookie Secure

2017-09-21 Thread Igor Cicimov 
Then you can unconditionally include Secure in your "rspadd Set-Cookie ..."
since the communication between the client and HAP is always over SSL. Or
am I missing something?

On Fri, Sep 22, 2017 at 10:18 AM, mlist <ml...@apsystems.it> wrote:

> Hi Igor, I use fe_https:443-> be_http
>
>
>
> *From:* Igor Cicimov [mailto:ig...@encompasscorporation.com]
> *Sent:* venerdì 22 settembre 2017 00:44
> *To:* rob.mlist <rob.ml...@apsystems.it>
> *Cc:* HAProxy <haproxy@formilux.org>
> *Subject:* Re: Set-Cookie Secure
>
>
>
>
>
>
>
> On 18 Sep 2017 10:37 pm, "rob.mlist" <rob.ml...@apsystems.it> wrote:
>
> I set 2 cookies on behalf of Backend Servers: one with these configuration
> lines at Frontend:
>
>
>
>rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4
> !back_cookie_present
>
>rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10
> !back_cookie_present
>
>
>
> one at Backend with these line (and Backend cookie directive on each
> server):
>
>cookie cookie_ha_srvid insert indirect preserve nocache
>
>
>
> now I need to change every response to clients to add "secure" attribute
> for all client encrypted connections.
>
> I applied following rules, but *no secure attribute is added to the
> response*:
>
>
>
>acl https_sess ssl_fc
>
>acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
>
>rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie
>
>
>
>
>
> Roberto
>
> Well if you are handling the requests in two different, lets call them
> pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
> obviously set secure cookies for the second one only without any acl
> gymnastics.
>
>
>

RE: Set-Cookie Secure

2017-09-21 Thread mlist 
Hi Igor, I use fe_https:443-> be_http

From: Igor Cicimov [mailto:ig...@encompasscorporation.com]
Sent: venerdì 22 settembre 2017 00:44
To: rob.mlist <rob.ml...@apsystems.it>
Cc: HAProxy <haproxy@formilux.org>
Subject: Re: Set-Cookie Secure



On 18 Sep 2017 10:37 pm, "rob.mlist" 
<rob.ml...@apsystems.it<mailto:rob.ml...@apsystems.it>> wrote:
I set 2 cookies on behalf of Backend Servers: one with these configuration 
lines at Frontend:

   rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4 
!back_cookie_present
   rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10 
!back_cookie_present

one at Backend with these line (and Backend cookie directive on each server):
   cookie cookie_ha_srvid insert indirect preserve nocache

now I need to change every response to clients to add "secure" attribute for 
all client encrypted connections.
I applied following rules, but no secure attribute is added to the response:

   acl https_sess ssl_fc
   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie


Roberto
Well if you are handling the requests in two different, lets call them 
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can 
obviously set secure cookies for the second one only without any acl gymnastics.

Re: Set-Cookie Secure

2017-09-21 Thread Igor Cicimov 
On 18 Sep 2017 10:37 pm, "rob.mlist"  wrote:

I set 2 cookies on behalf of Backend Servers: one with these configuration
lines at Frontend:



   rspadd Set-Cookie:\ x_cookie_servedby=web1_;\ path=/  if id_web1
!back_cookie_present

   rspadd Set-Cookie:\ x_cookie_servedby=web4_;\ path=/  if id_web4
!back_cookie_present

   rspadd Set-Cookie:\ x_cookie_servedby=web10_;\ path=/  if id_web10
!back_cookie_present



one at Backend with these line (and Backend cookie directive on each
server):

   cookie cookie_ha_srvid insert indirect preserve nocache



now I need to change every response to clients to add "secure" attribute
for all client encrypted connections.

I applied following rules, but *no secure attribute is added to the
response*:



   acl https_sess ssl_fc

   acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure

   rspirep ^(set-cookie:.*) \1;\ Secure if https_sess !secured_cookie





Roberto

Well if you are handling the requests in two different, lets call them
pipelines, like fe_http:80->be_http and fe_https:443-> be_https you can
obviously set secure cookies for the second one only without any acl
gymnastics.

Re: Set-Cookie Secure

2017-09-18 Thread Marco Corte 

Hello, list!

now I need to change every response to clients to add "secure" attribute 
for all client encrypted connections.


I applied following rules, but _no secure attribute is added to the 
response_:


Is it possible that this is in some way related to the issue that I 
noticed some weeks ago?

https://www.mail-archive.com/haproxy@formilux.org/msg27036.html

I assume that only cookies coming from the real servers can be 
manipulated, but I could be wrong.


.marcoc