How to protect application cookies while offloading SSL

SSL offloading

SSL offloading or acceleration is often seen as a huge benefit for applications. People usually forget that it may have impacts on the application itself. Some times ago, I wrote a blog article which lists these impacts and propose some solutions, using HAProxy.

One thing I forgot to mention at that time was Cookies.
You don’t want your clients to send their cookies (understand their identity) in clear through the Internet.
This is today’s article purpose.

Actually, there is a cookie attribute called Secure which can be emit by a server. When this attribute is set, the client SHOULD not send the cookie over a clear HTTP connection.

SSL offloading Diagram

Simple SSL offloading diagram:

|--------|              |---------|           |--------|
| client |  ==HTTPS==>  | HAProxy | --HTTP--> | Server |
|--------|              |---------|           |--------|

The client uses HTTPs to get connected on HAProxy, HAProxy gets connected to the application server through HTTP.

Even if HAProxy can forward client connection mode information to the application server, the application server may not protect its cookie…
Fortunately, we can use HAProxy for this purpose.

Howto make HAProxy to protect application cookie when SSL offloading is enabled

That’s the question.

The response is as simple as the configuration below:

acl https          ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie

The configuration above sets up the Secure attribute if it has not been setup by the application server while the client was browsing the application over a ciphered connection.

Related Links


4 thoughts on “How to protect application cookies while offloading SSL”

  1. This works as long as you only have one Set-Cookie header at a time. For multiples, the acl will return the result of the *last* Set-Cookie header. To solve this, you want to rewrite each Set-Cookie using the following line:
    rspirep ^(set-cookie: (?:(?! [Ss]ecure).)*)$ 1; Secure

  2. This attribute need to be setup only for 443 front-end or 80-front-end also? what is the impact if set this attribute to both 80 and 443 instances?

    What is the difference by setting this flag at backend section?

    1. Only when the traffic is ciphered between HAProxy and the client.
      If you set it up over port 80 (and clear traffic in general), then the client won’t send the cookie back.

  3. Any reason to check if secure attribute is set?
    I set it always. One check less. Just one line in frontend block:

    rspirep ^(set-cookie:.*) \1;\ Secure # Add secure attribute to all cookies

Leave a Reply

Your email address will not be published. Required fields are marked *