Help with securing "route" cookie
Gerard Mattison
gerardmattison455 at gmail.com
Sat Nov 19 21:08:24 UTC 2016
Hello all,
I am using nginx with nginx-sticky-module-ng for distributing the load
among servers per specific user session for my java application.
One of the issue I having is that when I ran a vulnerability assessment,
the "route" cookie is coming up as not secure.
Attached image shows the issue.
I appreciate any can help me on how to make the route cookie secure.
Thanks in advance.
Best Regards,
Gerard
*nginx configuration*
upstream jetty {
sticky secure;
server 10.1.10.1:8080 fail_timeout=3s;
server 10.1.10.2:8080 fail_timeout=3s;
server 10.1.10.3:8080 fail_timeout=3s;
}
server {
listen 80;
server_name webapp.contoso.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name webapp.contoso.com;
access_log /var/log/nginx/webapp.contoso.com-access.log;
error_log /var/log/nginx/webapp.contoso.com-error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/chain.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
location / {
proxy_pass http://jetty/;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 90;
proxy_send_timeout 180;
proxy_read_timeout 180;
proxy_buffer_size 128k;
proxy_buffers 100 256k;
proxy_busy_buffers_size 256k;
proxy_intercept_errors on;
}
include deny_dots.conf;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161119/3ff25eec/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Snap156.gif
Type: image/gif
Size: 16427 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161119/3ff25eec/attachment.gif>
More information about the nginx
mailing list