Skip to main content Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

haproxy: intercept all cookies and set secure attribute

Published: 01-02-2014 | Author: Remy van Elst | Text only version of this article

Table of Contents

This snippet shows you how to use haproxy to set the secure attribute oncookies. You might have a backend application which is not able to set thesecure attribute on cookies or for which haproxy does the ssl offloading. Thissimple frontend rspirep sets the secure attribute for all cookies.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Add the following to a frontend block:

rspirep ^(set-cookie:.*)  \1;\ Secure

Like so:

frontend example-frontend  reqadd X-Forwarded-Proto:\ https  rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains  option forwardfor except  maxconn 2000  rspirep ^(set-cookie:.*)  \1;\ Secure  bind ssl crt /etc/haproxy/pem/example.pem ciphers ECDHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES128+GCM+SHA256:DHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES128+GCM+SHA256:ECDHE+RSA+AES256+SHA384:ECDHE+RSA+AES128+SHA256:ECDHE+RSA+AES256+SHA:ECDHE+RSA+AES128+SHA:DHE+RSA+AES256+SHA256:DHE+RSA+AES128+SHA256:DHE+RSA+AES256+SHA:DHE+RSA+AES128+SHA:ECDHE+RSA+DES+CBC3+SHA:EDH+RSA+DES+CBC3+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES256+SHA256:AES128+SHA256:AES256+SHA:AES128+SHA:DES+CBC3+SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4  default_backend example-backend

This will set (and re-set) all your cookies with the secure attribute on.

Documentation on rspirep

Tags: cookies, haproxy, loadbalancer, secure, ssl, tutorials