Forum: NGINX Hide a request cookie in proxy_pass

2974d09ac2541e892966b762aad84943?d=identicon&s=25 gthb (Guest)
on 2014-08-29 17:55
(Received via mailing list)
Hi,

is it possible to hide one request cookie (but not all, so
proxy_set_header
Cookie "" is not the way) when proxying to an upstream server?

The use case is:

* website foo.com uses a hosted service on a subdomain, e.g.
blog.foo.com
hosted by Wordpress.com

* horror: MSIE will send all foo.com cookies to the subdomain too,
leaking
sessions (not just to Wordpress.com but to everyone because blog.foo.com
does not support HTTPS), and there's no way to tell it not to

* proposed workaround: serve blog.foo.com yourself, using Nginx,
HTTPS-only,
proxying to the hosted service (as foo.wordpress.com, which does support
HTTPS), and stripping out the parent-domain request cookies

Is there a way to do this with Nginx? A way to rewrite the Cookie header
to
strip out selected cookies?

Or is the only way out of this to avoid the subdomain cookie situation
altogether, either by running www.foo.com instead of foo.com, or by
abandoning the subdomain and using e.g. foo.com/blog/ instead?

Thanks,

Gulli

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252944,252944#msg-252944
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-08-29 19:27
(Received via mailing list)
Hello!

On Fri, Aug 29, 2014 at 11:55:08AM -0400, gthb wrote:

> * horror: MSIE will send all foo.com cookies to the subdomain too, leaking
> sessions (not just to Wordpress.com but to everyone because blog.foo.com
> does not support HTTPS), and there's no way to tell it not to
>
> * proposed workaround: serve blog.foo.com yourself, using Nginx, HTTPS-only,
> proxying to the hosted service (as foo.wordpress.com, which does support
> HTTPS), and stripping out the parent-domain request cookies
>
> Is there a way to do this with Nginx? A way to rewrite the Cookie header to
> strip out selected cookies?

With proxy_set_header you can change the header to any value,
including one with a particular cookie removed.  The tricky part
is to construct new value for the original header.  Something like
this should work:

    set $new_cookie $http_cookie;

    if ($http_cookie ~ "(.*)(?:^|;)\s*secret=[^;]+(.*)") {
        set $new_cookie $1$2;
    }

    proxy_pset_header Cookie $new_cookie;

(Note that the above is completely untested.)

--
Maxim Dounin
http://nginx.org/
2974d09ac2541e892966b762aad84943?d=identicon&s=25 gthb (Guest)
on 2014-09-02 12:17
(Received via mailing list)
Yep, works like a charm, thank you! And two consecutive ifs to strip two
cookies works as well:

    set $stripped_cookie $http_cookie;
    if ($http_cookie ~ "(.*)(?:^|;)\s*sessionid=[^;]+(.*)$") {
        set $stripped_cookie $1$2;
    }
    if ($stripped_cookie ~ "(.*)(?:^|;)\s*csrftoken=[^;]+(.*)$") {
        set $stripped_cookie $1$2;
    }

Cheers,

Gulli

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252944,253012#msg-253012
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.