Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active October 31, 2022 21:12
Show Gist options
  • Save haproxytechblog/370d0e5bec96825d3183e118c630df52 to your computer and use it in GitHub Desktop.
Save haproxytechblog/370d0e5bec96825d3183e118c630df52 to your computer and use it in GitHub Desktop.
Secure Cookies Using HAProxy Enterprise
Set-Cookie: User=Seb; path=/; Secure; HttpOnly
set-cookie: Cookie1=Value1
set-cookie: Cookie2=Value-of-cookie2
set-cookie: Cookie3=Other-value; path=/
# Same result, but using header folding
set-cookie: Cookie1=Value1
set-cookie: Cookie2=Value-of-cookie2, Cookie3=Other-value; path=/
backend webservers
[...]
cookie SRV insert indirect httponly secure
server s1 192.168.0.101:80 check cookie s1
server s2 192.168.0.102:80 check cookie s2
set-cookie: Cookie1=Value1
set-cookie: Cookie2=Value-of-cookie2, Cookie3=Other-value; path=/
set-cookie: SRV=s1; path=/; HttpOnly; Secure
acl https ssl_fc
acl secured_cookie res.hdr(Set-Cookie),lower -m sub secure
rspirep ^(set-cookie:.*) \1;\ Secure if https !secured_cookie
set-cookie: Cookie1=Value1, Cookie2=Value-of-cookie2; HttpOnly
set-cookie: Cookie3=Other-value; path=/
acl http_cookie res.hdr(Set-Cookie),lower -m sub httponly
http-response replace-header Set-Cookie "(.*)" "\1; HttpOnly" if !http_cookie
set-cookie: Cookie1=Value1, Cookie2=Value-of-cookie2; HttpOnly
set-cookie: Cookie3=Other-value; path=/
set-cookie: SRV=s1; path=/
# Enterprise edition
/opt/hapee-2.6/sbin/hapee-lb -vv | grep 'Built with PCRE'
# Community edition
haproxy -vv | grep 'Built with PCRE'
Built with PCRE2 version : 10.32 2018-09-10
http-response replace-header Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
set-cookie: Cookie1=Value1, Cookie2=Value-of-cookie2; HttpOnly
set-cookie: Cookie3=Other-value; path=/; HttpOnly
set-cookie: SRV=s1; path=/
http-response replace-value Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
set-cookie: Cookie1=Value1; HttpOnly, Cookie2=Value-of-cookie2; HttpOnly
set-cookie: Cookie3=Other-value; path=/; HttpOnly
set-cookie: SRV=s1; path=/
http-after-response replace-value Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
set-cookie: Cookie1=Value1; HttpOnly, Cookie2=Value-of-cookie2; HttpOnly
set-cookie: Cookie3=Other-value; path=/; HttpOnly
set-cookie: SRV=s1; path=/; HttpOnly
Set-Cookie: Cookie1=Value1; expires=Tue, 27-Sept-2023 09:14:05 GMT
Set-Cookie: Cookie1=Value1; expires=Tue; HttpOnly, 27-Sept-2023 09:14:05 GMT; HttpOnly
http-after-response replace-header Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
frontend www_fe
bind :80
bind :443 ssl crt my-cert.pem
mode http
use_backend www_be
http-after-response replace-header Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
http-after-response replace-header Set-Cookie '(^((?!(?i)secure).)*$)' "\1; Secure" if { ssl_fc }
backend webservers
mode http
cookie SRV insert indirect
server s1 192.168.10.101:8000 check cookie s1
server s2 192.168.10.102:8000 check cookie s2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment