#1701 closed defect (invalid)
unable to import module ngx_http_proxy_module to secure cookies
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | other | Version: | 1.8.x |
| Keywords: | secure cookies | Cc: | arvind.kumar.bhatt@… |
| uname -a: | Linux 0fb24584aa26 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --add-module=/root/nginx-auth-ldap --add-module=/root/nginx_cookie_flag_module --with-http_ssl_module --with-debug --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log |
||
Description
we are using Nginx running as container but we see cookies/session ids generated are not secure. only few of them seems as secured but others not. we are trying to apply proxy_cookie_path / "/; HTTPOnly; Secure";
but we are not sure how to add ngx_http_proxy_module module. this is not available in github.
rather we have used set_cookie_flag HttpOnly secure; with module nginx_cookie_flag_module.
even then i can't see all cookies are secured.
Attachments (1)
Change History (4)
by , 5 years ago
| Attachment: | Capture.PNG added |
|---|
comment:1 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
To return cookies with the "Secure" flag set, consider instructing your backend to do so when returning Set-Cookie headers. The proxy module does not try to change cookie flags, it is only capable of changing domain and path using the proxy_cookie_domain and proxy_cookie_path directives.
comment:2 by , 5 years ago
I logged the same ticket in for Jenkins https://issues.jenkins-ci.org/browse/SECURITY-1270
but they say that it indicating a bad configuration of your Jenkins instance. Please ask on the public users mailing lists or IRC for advice how to configure Jenkins or your reverse proxy properly.
Can you please help here what exactly required here? we used set_cookie_flag HttpOnly secure;
but not sure what else required from our end if both Nginx and Jenkins has no any issues.
comment:3 by , 5 years ago
For questions on how to configure nginx, consider using support options available. For question on how to configure Jenkins, consider using appropriate Jenkins resources.
secure cookies screen shot