SSL offloading or acceleration is often seen as a huge benefit for applications. People usually forget that it may have impacts on the application itself. Some time ago, I wrote a blog article which lists these impacts and proposes some solutions using HAProxy.
One thing I forgot to mention at that time was Cookies. You don’t want your clients to send their cookies (understand their identity) clearly through the Internet. This is today’s article's purpose.
Actually, there is a cookie attribute called Secure which can be emitted by a server. When this attribute is set, the client SHOULD not send the cookie over a clear HTTP connection.
Simple SSL Offloading Diagram:
|--------| |---------| |--------| | client | ==HTTPS==> | HAProxy | --HTTP--> | Server | |--------| |---------| |--------|
The client uses HTTPs to get connected to HAProxy, and HAProxy gets connected to the application server through HTTP.
Even if HAProxy can forward client connection mode information to the application server, the application server may not protect its cookie… Fortunately, we can use HAProxy for this purpose.
How to Make HAProxy Protect Application Cookie When SSL Offloading Is Enabled
That’s the question.
The response is as simple as the configuration below:
acl https ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie
The configuration above sets up the Secure attribute if the application server has not set it up while the client was browsing the application over a ciphered connection.