Hello!

On Fri, Aug 29, 2014 at 11:55:08AM -0400, gthb wrote:

> Hi,
>
> is it possible to hide one request cookie (but not all, so proxy_set_header
> Cookie "" is not the way) when proxying to an upstream server?
>
> The use case is:
>
> * website foo.com uses a hosted service on a subdomain, e.g. blog.foo.com
> hosted by Wordpress.com
>
> * horror: MSIE will send all foo.com cookies to the subdomain too, leaking
> sessions (not just to Wordpress.com but to everyone because blog.foo.com
> does not support HTTPS), and there's no way to tell it not to
>
> * proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
> proxying to the hosted service (as foo.wordpress.com, which does support
> HTTPS), and stripping out the parent-domain request cookies
>
> Is there a way to do this with Nginx? A way to rewrite the Cookie header to
> strip out selected cookies?

With proxy_set_header you can change the header to any value,
including one with a particular cookie removed. The tricky part
is to construct new value for the original header. Something like
this should work:

set $new_cookie $http_cookie;

if ($http_cookie ~ "(.*)(?:^|;)\s*secret=[^;]+(.*)") {
set $new_cookie $1$2;
}

proxy_pset_header Cookie $new_cookie;

(Note that the above is completely untested.)

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx