Hide a request cookie in proxy_pass

Maxim Dounin mdounin at mdounin.ru
Fri Aug 29 17:27:25 UTC 2014


On Fri, Aug 29, 2014 at 11:55:08AM -0400, gthb wrote:

> Hi,
> is it possible to hide one request cookie (but not all, so proxy_set_header
> Cookie "" is not the way) when proxying to an upstream server?
> The use case is:
> * website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
> hosted by Wordpress.com
> * horror: MSIE will send all foo.com cookies to the subdomain too, leaking
> sessions (not just to Wordpress.com but to everyone because blog.foo.com
> does not support HTTPS), and there's no way to tell it not to
> * proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
> proxying to the hosted service (as foo.wordpress.com, which does support
> HTTPS), and stripping out the parent-domain request cookies
> Is there a way to do this with Nginx? A way to rewrite the Cookie header to
> strip out selected cookies?

With proxy_set_header you can change the header to any value, 
including one with a particular cookie removed.  The tricky part 
is to construct new value for the original header.  Something like 
this should work:

    set $new_cookie $http_cookie;

    if ($http_cookie ~ "(.*)(?:^|;)\s*secret=[^;]+(.*)") {
        set $new_cookie $1$2;

    proxy_pset_header Cookie $new_cookie;

(Note that the above is completely untested.)

Maxim Dounin

More information about the nginx mailing list