Opened 3 months ago

Closed 2 months ago

Last modified 2 months ago

#1701 closed defect (invalid)

unable to import module ngx_http_proxy_module to secure cookies

Reported by: arvindkrbhatt@… Owned by:
Priority: critical Milestone:
Component: other Version: 1.8.x
Keywords: secure cookies Cc: arvind.kumar.bhatt@…
uname -a: Linux 0fb24584aa26 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0 built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --add-module=/root/nginx-auth-ldap --add-module=/root/nginx_cookie_flag_module --with-http_ssl_module --with-debug --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log

Description

we are using Nginx running as container but we see cookies/session ids generated are not secure. only few of them seems as secured but others not. we are trying to apply proxy_cookie_path / "/; HTTPOnly; Secure";

but we are not sure how to add ngx_http_proxy_module module. this is not available in github.

rather we have used set_cookie_flag HttpOnly? secure; with module nginx_cookie_flag_module.

even then i can't see all cookies are secured.

Attachments (1)

Capture.PNG (35.6 KB) - added by arvindkrbhatt@… 3 months ago.
secure cookies screen shot

Download all attachments as: .zip

Change History (4)

Changed 3 months ago by arvindkrbhatt@…

secure cookies screen shot

comment:1 Changed 2 months ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

To return cookies with the "Secure" flag set, consider instructing your backend to do so when returning Set-Cookie headers. The proxy module does not try to change cookie flags, it is only capable of changing domain and path using the proxy_cookie_domain and proxy_cookie_path directives.

comment:2 Changed 2 months ago by arvindkrbhatt@…

I logged the same ticket in for Jenkins https://issues.jenkins-ci.org/browse/SECURITY-1270
but they say that it indicating a bad configuration of your Jenkins instance. Please ask on the public users mailing lists or IRC for advice how to configure Jenkins or your reverse proxy properly.

Can you please help here what exactly required here? we used set_cookie_flag HttpOnly? secure;
but not sure what else required from our end if both Nginx and Jenkins has no any issues.

Last edited 2 months ago by arvindkrbhatt@… (previous) (diff)

comment:3 Changed 2 months ago by mdounin

For questions on how to configure nginx, consider using support options available. For question on how to configure Jenkins, consider using appropriate Jenkins resources.

Note: See TracTickets for help on using tickets.