SSL offloading or acceleration is often seen as a huge benefit for applications. People usually forget that it may have impacts on the application itself. Some times ago, I wrote a blog article which lists these impacts and propose some solutions, using HAProxy.
One thing I forgot to mention at that time was Cookies.
You don’t want your clients to send their cookies (understand their identity) in clear through the Internet.
This is today’s article purpose.
Actually, there is a cookie attribute called Secure which can be emit by a server. When this attribute is set, the client SHOULD not send the cookie over a clear HTTP connection.
SSL offloading Diagram
Simple SSL offloading diagram:
|--------| |---------| |--------| | client | ==HTTPS==> | HAProxy | --HTTP--> | Server | |--------| |---------| |--------|
The client uses HTTPs to get connected on HAProxy, HAProxy gets connected to the application server through HTTP.
Even if HAProxy can forward client connection mode information to the application server, the application server may not protect its cookie…
Fortunately, we can use HAProxy for this purpose.
How to make HAProxy to protect application cookie when SSL offloading is enabled
That’s the question.
The response is as simple as the configuration below:
acl https ssl_fc acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie
The configuration above sets up the Secure attribute if it has not been setup by the application server while the client was browsing the application over a ciphered connection.