secure and httponly cookies

Krishna Kumar K K krishna at Brocade.com
Mon Mar 7 21:52:39 UTC 2016


Nginx -V

nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'


Config:-

#Security
    server_tokens off; #Turn off version number
    add_header X-Frame-Options "SAMEORIGIN"; #Turn off click jacking; so no frames
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

# Redirect all insecure requests to the secure port
server {
  listen <IP_address>:80 ;
  server_name <server name>;
   return 301 https://<server_name>$request_uri;
}

# Serve SSL encrypted data
server {
  listen <IP_address>:443 default_server ssl;
  add_header Strict-Transport-Security max-age=15768000;
  server_name <server_name>;

  access_log /web/nginx/servers/name/logs/access.log;
  error_log /web/nginx/servers/name/logs/ error.log;

  # Security
    ssl on;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';

  # Specify the certificate and key
    ssl_certificate /etc/nginx/ssl/name/server.name.com.crt;
    ssl_certificate_key /etc/nginx/ssl/name/server.name.com.key;

location /download/ {
                                                rewrite ^/download/vadxeval$ "https://<server name>/mybrocade/secure/navigate?nid=n32&prodCode=VIRTUAL_ADX&pname=VADX_DOWNLOAD&completePath=downloads/Virtual ADX/Virtual ADX_Eval"  break;
                                                rewrite ^/download/apitoolkit$ "https:// <server name>/mybrocade/secure/navigate?nid=n30&prodCode=BRD_API_SUPPORT&prodCatCode=API&pname=VYATTA_DOWNLOAD&completePath=Brocade API Toolkit"  break;
                                }

  location / {
        rewrite ^/$ https:// <server name>/wps/myportal/ break;
        rewrite ^/wps/portal$ http:// <server name>/wps/myportal/ break;

        index index.html;
        root /web/nginx/servers/name/conf;
    proxy_set_header        Host $server_name;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    proxy_pass http://<webseal_hostname>/;
    proxy_read_timeout 90;
  }
}

-----Original Message-----
From: Krishna Kumar K K 
Sent: Monday, March 07, 2016 1:50 PM
To: nginx at nginx.org
Subject: RE: secure and httponly cookies

I have tried exactly the same as in this page:-

proxy_cookie_path / "/; secure; HttpOnly";

it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.

Thanks,
Krishna

-----Original Message-----
From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Aleksandar Lazic
Sent: Monday, March 07, 2016 1:16 PM
To: nginx at nginx.org
Subject: Re: secure and httponly cookies

Hi.

Am 07-03-2016 21:15, schrieb krishna at brocade.com:
> Here, nginx is proxy passing the requests to webseal and webseal sends 
> the response with cookies.
> We are trying to rewrite this cookie headers.

Please can you show us how you have tried to do this.

As you can see on this pages there should be a option with 'plain' nginx
;-)

https://urldefense.proofpoint.com/v2/url?u=http-3A__serverfault.com_questions_268633_controlling-2Dnginx-2Dproxy-2Dtarget-2Dusing-2Da-2Dcookie&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=RUz0YUGoSUkE6lu5tJ39Q6wGT4OOTv5_pHDdBeUYXs8&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__maximilian-2Dboehm.com_hp2134_NGINX-2Das-2DProxy-2DRewrite-2DSet-2DCookie-2Dto-2DSecure-2Dand-2DHttpOnly.htm&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=yaYJMYFzaQG_Jx8xt2eDryBca7PrrSJCMoxoMwcR5xQ&e= 

Please can you also post the output of nginx -V and the config.

Cheers Aleks

> Could you tell me more about LUA or some links where i can read about 
> it?
> 
> Posted at Nginx Forum:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.nginx.org_r
> ead.php-3F2-2C265137-2C265142-23msg-2D265142&d=CwICAg&c=IL_XqQWOjubgfq
> INi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0Osq
> HDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=Mv5hguz8jSa78zlUxgzcU4OCcKCRtqjhKZ_xl
> wesMOA&e=
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_
> mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW
> _9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1p
> CVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e=

_______________________________________________
nginx mailing list
nginx at nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e= 



More information about the nginx mailing list