Forcing incognito mode on a reverse proxy
Francis Daly
francis at daoine.org
Wed Dec 20 10:59:18 UTC 2023
On Sat, Dec 16, 2023 at 02:16:45PM -0500, Saint Michael wrote:
Hi there,
> I have a reverse proxy but for security reasons, I need to force the
> client to work the closest to an Incognito session as possible.
I suspect that that can only reliably be done by telling the client to
use an Incognito session. nginx-in-the-middle will not be able to do it,
without lots of extra state being stored across requests. (Which may
well be doable by you writing the code to do it; but I suspect that it
can't be done purely in stock nginx configuration.)
> I tried adding the following:
>
> proxy_set_header Cookie "";
> add_header Set-Cookie "cookie_name=; Expires=Thu, 01 Jan 1970 00:00:01 GMT;"; }
>
> but it still does not work correctly.
I suspect that it will be useful to learn what exactly you consider an
Incognito session to be.
My understanding is that, among other things, the client will choose
not to send any cookies that had been set outside of this session, but
will choose to send cookies that were set within this session. If that
is correct, then "never sending cookies" is not the correct design.
The client can know when the cookies that it has were set; for nginx
to know that, it would need to keep track of the Set-Cookie responses
for each client, and only allow through matching Cookie requests from
the matching client. And by default, nginx does not know or care about
that information.
> Is there a way to do this?
Probably not trivially.
Good luck with it!
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list