Bug #13343
closedHAproxy cookie protection syntax needs updated
100%
Description
A bug has been found after UPdate to pfSense plus 22.05: the generated code by HaProxy-GUI
rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
used by the checkbox /backend settings ... HSTS / Cookie protection is obsolete.
So I fix it - temporary - by disabling the checkbox but adding the following "Backend pass thru":
http-response replace-header Set-Cookie "^((?:(?!; [Ss]ecure\b).)*)\$" "\1; secure" if { ssl_fc }
Still waiting for a fix in the GUI of haproxy.
Related issues
Updated by Kris Phillips over 2 years ago
Hello,
Is this present on the stable or devel branch? Or both?
Updated by Johannes Goldynia over 2 years ago
Hello,
the bug is there if the haproxy package installation dependency is set to use
haproxy22-2.2.22 (no more "rspirep" support)
If it is to the "old"
haproxy18-1.8.30
it is OK because "rspirep" is supported ...
It is on the stable branch pfsense plus 22.05 together with haproxy (NOT devel).
BR Johannes
Updated by Kris Phillips over 2 years ago
- Status changed from New to Confirmed
Here is the error message in 2.0 of HAProxy:
The 'rspirep' directive is deprecated in favor of 'http-response replace-header' and will be removed in next version.
The function needs to be changed on the webConfigurator interface to represent the new way of formatting this, as it'll affect devel as well.
Updated by Alexandre J almost 2 years ago
Hello,
Thank you Johannes Goldynia for the work-around, this worked for me too.
Is the fix in the GUI function difficult to put in place? I don't see any due date for that bug to be corrected.
Updated by Jim Pingle over 1 year ago
- Has duplicate Bug #14536: Backend cookie protection option generates invalid haproxy config file added
Updated by Jim Pingle over 1 year ago
- Subject changed from haproxy to HAproxy cookie protection syntax needs updated
Updated by Alfredo Pironti over 1 year ago
Sorry for the duplicate report; for some reason I missed this one.
I've now prepared a pull request https://github.com/pfsense/FreeBSD-ports/pull/1272 based on the temporary fix proposed in this original bug report.
Hope this helps!
Updated by Jim Pingle over 1 year ago
- Status changed from Confirmed to Pull Request Review
Updated by Jim Pingle over 1 year ago
- Status changed from Pull Request Review to Feedback
PR merged, thanks!
Packages are building for Plus 23.05.1 and CE 2.7.0, they will be available shortly.
Updated by Johannes Goldynia over 1 year ago
Hello,
it works now together with the haproxy version 0.61_11.
Thanks!
Updated by Jim Pingle over 1 year ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100