Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

haproxy: intercept all cookies and set secure attribute

Published: 01-02-2014 | Author: Remy van Elst | Text only version of this article


❗ This post is over ten years old. It may no longer be up to date. Opinions may have changed.

This snippet shows you how to use haproxy to set the secure attribute on cookies. You might have a backend application which is not able to set the secure attribute on cookies or for which haproxy does the ssl offloading. This simple frontend rspirep sets the secure attribute for all cookies.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

Add the following to a frontend block:

rspirep ^(set-cookie:.*)  \1;\ Secure

Like so:

frontend example-frontend
  reqadd X-Forwarded-Proto:\ https
  rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
  option forwardfor except 127.0.0.1
  maxconn 2000
  rspirep ^(set-cookie:.*)  \1;\ Secure
  bind 10.20.30.40:443 ssl crt /etc/haproxy/pem/example.pem ciphers ECDHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES128+GCM+SHA256:DHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES128+GCM+SHA256:ECDHE+RSA+AES256+SHA384:ECDHE+RSA+AES128+SHA256:ECDHE+RSA+AES256+SHA:ECDHE+RSA+AES128+SHA:DHE+RSA+AES256+SHA256:DHE+RSA+AES128+SHA256:DHE+RSA+AES256+SHA:DHE+RSA+AES128+SHA:ECDHE+RSA+DES+CBC3+SHA:EDH+RSA+DES+CBC3+SHA:AES256+GCM+SHA384:AES128+GCM+SHA256:AES256+SHA256:AES128+SHA256:AES256+SHA:AES128+SHA:DES+CBC3+SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
  default_backend example-backend

This will set (and re-set) all your cookies with the secure attribute on.

Documentation on rspirep

Tags: cookies , haproxy , loadbalancer , secure , ssl , tutorials