Hide a request cookie in proxy_pass

gthb nginx-forum at nginx.us
Fri Aug 29 15:55:08 UTC 2014


is it possible to hide one request cookie (but not all, so proxy_set_header
Cookie "" is not the way) when proxying to an upstream server?

The use case is:

* website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
hosted by Wordpress.com

* horror: MSIE will send all foo.com cookies to the subdomain too, leaking
sessions (not just to Wordpress.com but to everyone because blog.foo.com
does not support HTTPS), and there's no way to tell it not to

* proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
proxying to the hosted service (as foo.wordpress.com, which does support
HTTPS), and stripping out the parent-domain request cookies

Is there a way to do this with Nginx? A way to rewrite the Cookie header to
strip out selected cookies?

Or is the only way out of this to avoid the subdomain cookie situation
altogether, either by running www.foo.com instead of foo.com, or by
abandoning the subdomain and using e.g. foo.com/blog/ instead?



Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252944,252944#msg-252944

More information about the nginx mailing list