Opened 5 months ago

Closed 5 months ago

#2331 closed enhancement (invalid)

proxy_cookie_path / proxy_cookie_domain and custom cookie fileds

Reported by: Tux12Fun@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.18.x
Keywords: ngx_http_proxy_module, proxy_cookie_path, proxy_cookie_domain Cc: Tux12Fun@…
uname -a: Linux hostname 5.11.0-1029-gcp #33~20.04.3-Ubuntu SMP Tue Jan 18 12:03:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

Hi,
currently I have to hide a web-page behind nginx but this website is using a cookie to set the redirect URL after the login and for other pages. I know a ugly solution, but I can't change the 3th party product.

In my Browser this looks like this:
(RESPONSE-HEADER WebTools Google Chrome)

set-cookie: Replicate.3552.Redirect=/attunityreplicate/2021.5.0.1011/; Path=/attunityreplicate; HttpOnly

as I have to reverse proxy 3 of this instances on one host(domain) and port(443) I built
sub locations to host this 3 instances like this:

location ^~ /ate01/ {
proxy_set_header                 Host $http_host;
proxy_set_header                 X-Real-IP $remote_addr;
proxy_ssl_verify                 off;
proxy_set_header                 X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header                 X-Forwarded-Host $host:$server_port;
proxy_set_header                 X-Forwarded-Proto $scheme;
proxy_set_header                 X-Forwarded-Server $host;
proxy_set_header                 X-Original-URI $request_uri;
proxy_hide_header                'access-control-allow-origin';
proxy_hide_header                X-Frame-Options;
proxy_hide_header                x-content-type-options;
proxy_hide_header                x-xss-protection;
sub_filter                       '/attunityreplicate' '/ate01/attunityreplicate';
sub_filter_types *;
sub_filter_once                  off;
proxy_cookie_path                ~*/attunityreplicate(.*) /ate01/attunityreplicate$1;
rewrite                          ^/ate01/(.*)$  /$1  break;
proxy_pass                       https###10.x.x.xxx:3552/;
proxy_redirect                   /attunityreplicate https://our.domain.com/ate01/attunityreplicate;
proxy_redirect                   https###our.domain.com/attunityreplicate https###our.domain.com/ate01/attunityreplicate;
}

Replaced : with ### because got the TAC Message max URLs reached

With the proxy_cookie_path parameter i was able to transform the cookie to this.

(RESPONSE-HEADER WebTools Google Chrome)

set-cookie: Replicate.3552.Redirect=/attunityreplicate/2021.5.0.1011/; Path=/ate01/attunityreplicate; HttpOnly

but how can i rewrite the Replicate.3552.Redirect= Part to /ate01/attunityreplicate/.... .

Even after looking into the nginx source code i wasn't able to find a solution, but I have seen in ngx_http_proxy_module.c line 2742 a compare to "path" case insensitive, 2727 a compare to domains. So I wonderd if it would possible to provide a more generic method to lookup cookie keys with a regex and use a search and replace regex with backrefs.

Or I'm totally wrong and the development Team of nginx has already implemented a proper solution to solve this,
that I haven't found?

Change History (1)

comment:1 by Maxim Dounin, 5 months ago

Resolution: invalid
Status: newclosed

It looks like you are trying to rewrite data in the cookie itself, not the cookie attributes. This is not something you can do with proxy_rewrite_cookie_* directives.

Likely a working solution for your particular use case can be provided by hiding the cookie completely with proxy_hide_header Set-Cookie; and providing a replacement header with add_header Set-Cookie ...; instead, based on the $upstream_http_set_cookie and/or $upstream_cookie_* variables appropriately modified using map.

Also it might be a good idea to actually implement appropriate modifications in the upstream server instead of trying to "fix" things in nginx. If that's not possible, consider using dedicated subdomains for each upstream instance. Trying to do anything but trivial modifications on the nginx side is believed to be almost always a bad idea in the long run.

If you need further help with configuring nginx, consider using support options available.

Note: See TracTickets for help on using tickets.