Welcome! Log In Create A New Profile

RE: secure and httponly cookies

Forum List Message List New Topic Print View

krishna@brocade.com

March 07, 2016 04:54PM

Registered: 8 years ago
Posts: 8

Nginx -V

nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2
-g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Config:-

#Security
server_tokens off; #Turn off version number
add_header X-Frame-Options "SAMEORIGIN"; #Turn off click jacking; so no frames
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

# Redirect all insecure requests to the secure port
server {
listen <IP_address>:80 ;
server_name <server name>;
return 301 https://<server_name>$request_uri;
}

# Serve SSL encrypted data
server {
listen <IP_address>:443 default_server ssl;
add_header Strict-Transport-Security max-age=15768000;
server_name <server_name>;

access_log /web/nginx/servers/name/logs/access.log;
error_log /web/nginx/servers/name/logs/ error.log;

# Security
ssl on;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';

# Specify the certificate and key
ssl_certificate /etc/nginx/ssl/name/server.name.com.crt;
ssl_certificate_key /etc/nginx/ssl/name/server.name.com.key;

location /download/ {
rewrite ^/download/vadxeval$ "https://<server name>/mybrocade/secure/navigate?nid=n32&prodCode=VIRTUAL_ADX&pname=VADX_DOWNLOAD&completePath=downloads/Virtual ADX/Virtual ADX_Eval" break;
rewrite ^/download/apitoolkit$ "https:// <server name>/mybrocade/secure/navigate?nid=n30&prodCode=BRD_API_SUPPORT&prodCatCode=API&pname=VYATTA_DOWNLOAD&completePath=Brocade API Toolkit" break;
}

location / {
rewrite ^/$ https:// <server name>/wps/myportal/ break;
rewrite ^/wps/portal$ http:// <server name>/wps/myportal/ break;

index index.html;
root /web/nginx/servers/name/conf;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://<webseal_hostname>/;
proxy_read_timeout 90;
}
}

-----Original Message-----
From: Krishna Kumar K K
Sent: Monday, March 07, 2016 1:50 PM
To: nginx@nginx.org
Subject: RE: secure and httponly cookies

I have tried exactly the same as in this page:-

proxy_cookie_path / "/; secure; HttpOnly";

it sets the flags on the cookie in the response header, but when I refresh the page, it is sending the cookies in the requests header without these flags, it just resets it.

Thanks,
Krishna

-----Original Message-----
From: nginx [mailto:nginx-bounces@nginx.org] On Behalf Of Aleksandar Lazic
Sent: Monday, March 07, 2016 1:16 PM
To: nginx@nginx.org
Subject: Re: secure and httponly cookies

Hi.

Am 07-03-2016 21:15, schrieb krishna@brocade.com:
> Here, nginx is proxy passing the requests to webseal and webseal sends
> the response with cookies.
> We are trying to rewrite this cookie headers.

Please can you show us how you have tried to do this.

As you can see on this pages there should be a option with 'plain' nginx
;-)

https://urldefense.proofpoint.com/v2/url?u=http-3A__serverfault.com_questions_268633_controlling-2Dnginx-2Dproxy-2Dtarget-2Dusing-2Da-2Dcookie&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=RUz0YUGoSUkE6lu5tJ39Q6wGT4OOTv5_pHDdBeUYXs8&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__maximilian-2Dboehm.com_hp2134_NGINX-2Das-2DProxy-2DRewrite-2DSet-2DCookie-2Dto-2DSecure-2Dand-2DHttpOnly.htm&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=yaYJMYFzaQG_Jx8xt2eDryBca7PrrSJCMoxoMwcR5xQ&e=

Please can you also post the output of nginx -V and the config.

Cheers Aleks

> Could you tell me more about LUA or some links where i can read about
> it?
>
> Posted at Nginx Forum:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.nginx.org_r
> ead.php-3F2-2C265137-2C265142-23msg-2D265142&d=CwICAg&c=IL_XqQWOjubgfq
> INi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0Osq
> HDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=Mv5hguz8jSa78zlUxgzcU4OCcKCRtqjhKZ_xl
> wesMOA&e=
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_
> mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW
> _9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1p
> CVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e=

_______________________________________________
nginx mailing list
nginx@nginx.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nginx.org_mailman_listinfo_nginx&d=CwICAg&c=IL_XqQWOjubgfqINi2jTzg&r=PZ7-DbptEeW_9SeYl3U87b-UoRqXIcJD3kzHs3AtV7E&m=6gm5ZW2zS0OsqHDgC0ZQdRy2r648aRPQq1pCVy1H4sA&s=AFoUlENMfmYahoSjjMns5RW3FemZeDlb6xodRGyXtmA&e=

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
secure and httponly cookies	krishna@brocade.com	March 07, 2016 02:38PM
Re: secure and httponly cookies	Lucas Rolff	March 07, 2016 02:48PM
Re: secure and httponly cookies	krishna@brocade.com	March 07, 2016 02:54PM
Re: secure and httponly cookies	Lucas Rolff	March 07, 2016 03:02PM
Re: secure and httponly cookies	krishna@brocade.com	March 07, 2016 03:15PM
Re: secure and httponly cookies	Aapo Talvensaari	March 07, 2016 03:32PM
Re: secure and httponly cookies	Robert Paprocki	March 07, 2016 03:38PM
Re: secure and httponly cookies	Aleksandar Lazic	March 07, 2016 04:26PM
RE: secure and httponly cookies	krishna@brocade.com	March 07, 2016 04:52PM
Re: secure and httponly cookies	Francis Daly	March 07, 2016 05:58PM
RE: secure and httponly cookies	krishna@brocade.com	March 07, 2016 07:40PM
Re: secure and httponly cookies	Aapo Talvensaari	March 08, 2016 02:36AM
RE: secure and httponly cookies	krishna@brocade.com	March 08, 2016 02:46AM
RE: secure and httponly cookies	Aleksandar Lazic	March 08, 2016 03:00AM
RE: secure and httponly cookies	krishna@brocade.com	March 07, 2016 04:54PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 304

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018