Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#1701 closed defect (invalid)

unable to import module ngx_http_proxy_module to secure cookies

Reported by: arvindkrbhatt@… Owned by:
Priority: critical Milestone:
Component: other Version: 1.8.x
Keywords: secure cookies Cc: arvind.kumar.bhatt@…
uname -a: Linux 0fb24584aa26 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.8.0
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --add-module=/root/nginx-auth-ldap --add-module=/root/nginx_cookie_flag_module --with-http_ssl_module --with-debug --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log

Description

we are using Nginx running as container but we see cookies/session ids generated are not secure. only few of them seems as secured but others not. we are trying to apply proxy_cookie_path / "/; HTTPOnly; Secure";

but we are not sure how to add ngx_http_proxy_module module. this is not available in github.

rather we have used set_cookie_flag HttpOnly secure; with module nginx_cookie_flag_module.

even then i can't see all cookies are secured.

Attachments (1)

Capture.PNG (35.6 KB ) - added by arvindkrbhatt@… 6 years ago.
secure cookies screen shot

Download all attachments as: .zip

Change History (4)

by arvindkrbhatt@…, 6 years ago

Attachment: Capture.PNG added

secure cookies screen shot

comment:1 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

To return cookies with the "Secure" flag set, consider instructing your backend to do so when returning Set-Cookie headers. The proxy module does not try to change cookie flags, it is only capable of changing domain and path using the proxy_cookie_domain and proxy_cookie_path directives.

comment:2 by arvindkrbhatt@…, 6 years ago

I logged the same ticket in for Jenkins https://issues.jenkins-ci.org/browse/SECURITY-1270
but they say that it indicating a bad configuration of your Jenkins instance. Please ask on the public users mailing lists or IRC for advice how to configure Jenkins or your reverse proxy properly.

Can you please help here what exactly required here? we used set_cookie_flag HttpOnly secure;
but not sure what else required from our end if both Nginx and Jenkins has no any issues.

Last edited 6 years ago by arvindkrbhatt@… (previous) (diff)

comment:3 by Maxim Dounin, 6 years ago

For questions on how to configure nginx, consider using support options available. For question on how to configure Jenkins, consider using appropriate Jenkins resources.

Note: See TracTickets for help on using tickets.