secure and httponly cookies
Krishna Kumar K K
krishna at Brocade.com
Mon Mar 7 21:52:39 UTC 2016
Nginx -V
nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
Config:-
#Security
server_tokens off; #Turn off version number
add_header X-Frame-Options "SAMEORIGIN"; #Turn off click jacking; so no frames
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
# Redirect all insecure requests to the secure port
server {
listen <IP_address>:80 ;
server_name <server name>;
return 301 https://<server_name>$request_uri;
}
# Serve SSL encrypted data
server {
listen <IP_address>:443 default_server ssl;
add_header Strict-Transport-Security max-age=15768000;
server_name <server_name>;
access_log /web/nginx/servers/name/logs/access.log;
error_log /web/nginx/servers/name/logs/ error.log;
# Security
ssl on;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
# Specify the certificate and key
ssl_certificate /etc/nginx/ssl/name/server.name.com.crt;
ssl_certificate_key /etc/nginx/ssl/name/server.name.com.key;
location /download/ {
rewrite ^/download/vadxeval$ "https://<server name>/mybrocade/secure/navigate?nid=n32&prodCode=VIRTUAL_ADX&pname=VADX_DOWNLOAD&completePath=downloads/Virtual ADX/Virtual ADX_Eval" break;
rewrite ^/download/apitoolkit$ "https:// <server name>/mybrocade/secure/navigate?nid=n30&prodCode=BRD_API_SUPPORT&prodCatCode=API&pname=VYATTA_DOWNLOAD&completePath=Brocade API Toolkit" break;
}
location / {
rewrite ^/$ https:// <server name>/wps/myportal/ break;
rewrite ^/wps/portal$ http:// <server name>/wps/myportal/ break;
index index.html;
root /web/nginx/servers/name/conf;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://<webseal_hostname>/;
proxy_read_timeout 90;
}
}
-----Original Message-----
From: Krishna Kumar K K
Sent: Monday, March 07, 2016 1:50 PM
To: nginx at nginx.org
Subject: RE: secure and httponly cookies
I have tried exactly the same as in this page:-
proxy_cookie_path / "/; secure; HttpOnly";
it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.
Thanks,
Krishna
-----Original Message-----
From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of Aleksandar Lazic
Sent: Monday, March 07, 2016 1:16 PM
To: nginx at nginx.org
Subject: Re: secure and httponly cookies
Hi.
Am 07-03-2016 21:15, schrieb krishna at brocade.com:
> Here, nginx is proxy passing the requests to webseal and webseal sends
> the response with cookies.
> We are trying to rewrite this cookie headers.
Please can you show us how you have tried to do this.
As you can see on this pages there should be a option with 'plain' nginx
;-)
https://urldefense.proofpoint.com/v2/url?u=http-3A__serverfault.com_questions_268633_controlling-2Dnginx-2Dproxy-2Dtarget-2Dusing-2Da-2Dcookie&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=RUz0YUGoSUkE6lu5tJ39Q6wGT4OOTv5_pHDdBeUYXs8&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__maximilian-2Dboehm.com_hp2134_NGINX-2Das-2DProxy-2DRewrite-2DSet-2DCookie-2Dto-2DSecure-2Dand-2DHttpOnly.htm&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=yaYJMYFzaQG_Jx8xt2eDryBca7PrrSJCMoxoMwcR5xQ&e=
Please can you also post the output of nginx -V and the config.
Cheers Aleks
> Could you tell me more about LUA or some links where i can read about
> it?
>
> Posted at Nginx Forum:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.nginx.org_r
> ead.php-3F2-2C265137-2C265142-23msg-2D265142&d=CwICAg&c=IL_XqQWOjubgfq
> INi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0Osq
> HDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=Mv5hguz8jSa78zlUxgzcU4OCcKCRtqjhKZ_xl
> wesMOA&e=
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_
> mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW
> _9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1p
> CVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e=
_______________________________________________
nginx mailing list
nginx at nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e=
More information about the nginx
mailing list