Hide a request cookie in proxy_pass
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 29 17:27:25 UTC 2014
Hello!
On Fri, Aug 29, 2014 at 11:55:08AM -0400, gthb wrote:
> Hi,
>
> is it possible to hide one request cookie (but not all, so proxy_set_header
> Cookie "" is not the way) when proxying to an upstream server?
>
> The use case is:
>
> * website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
> hosted by Wordpress.com
>
> * horror: MSIE will send all foo.com cookies to the subdomain too, leaking
> sessions (not just to Wordpress.com but to everyone because blog.foo.com
> does not support HTTPS), and there's no way to tell it not to
>
> * proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
> proxying to the hosted service (as foo.wordpress.com, which does support
> HTTPS), and stripping out the parent-domain request cookies
>
> Is there a way to do this with Nginx? A way to rewrite the Cookie header to
> strip out selected cookies?
With proxy_set_header you can change the header to any value,
including one with a particular cookie removed. The tricky part
is to construct new value for the original header. Something like
this should work:
set $new_cookie $http_cookie;
if ($http_cookie ~ "(.*)(?:^|;)\s*secret=[^;]+(.*)") {
set $new_cookie $1$2;
}
proxy_pset_header Cookie $new_cookie;
(Note that the above is completely untested.)
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list