14

I'm using nginx as a reverse proxy to serve a https-only site. So I want the cookies for this site flagged as secure. But the backend server is an http one so it won't set the secure flag to its cookies. How can I modify the Set-Cookie header in response to add a secure flag?

Tianyi Cui
  • 265
  • 1
  • 2
  • 8
  • 1
    Such an override is currently not possible, but there is an issue/ticket about `proxy_cookie_secure`: https://trac.nginx.org/nginx/ticket/368 However it is not yet implemented (and the issue is old). – rugk May 15 '16 at 23:13
  • This third-party [module](https://github.com/AirisX/nginx_cookie_flag_module) could help you. – Airis Mar 19 '17 at 13:06
  • Asked and answered over on SO. See SO for nginx example for Tomcat7: https://stackoverflow.com/questions/19916906/nginx-managed-ssl-with-tomcat-7/24099526#24099526 – Joseph Lust Jun 07 '14 at 16:57

3 Answers3

4

You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.

However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).

Community
  • 1
Jon Rhoades
  • 4,987
  • 3
  • 31
  • 48
  • 5
    It might help you to set the `X-Forwarded-Proto` header and make sure it is interpreted by your application. This is a common technique and also enables mixed http/https applications to react properly based on the protocol. – Lukas Apr 08 '13 at 17:17
4

I use the following nginx config code: 

# make cookie secure (case sensitive)
proxy_cookie_domain ~(?P<secure_domain>([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "$secure_domain; secure";

Instead of the regex to make this dynamical you can of course use the FQDN.

r_3
  • 886
  • 5
  • 9
  • Is this just on response or both request and response. When the client sends a request with the secure flag set does nginx strip it so the web server doesn't complain? – Tigran Aug 25 '18 at 16:04
  • Clients do not send back the secure flag in the `Cookie` header. – r_3 Sep 07 '18 at 11:26
1

This help me:

proxy_cookie_path / "/; secure";

See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

Grigory Kislin
  • 111
  • 3