Project

General

Profile

Actions

Bug #13343

closed

HAproxy cookie protection syntax needs updated

Added by Johannes Goldynia over 1 year ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
22.05
Affected Architecture:
All

Description

A bug has been found after UPdate to pfSense plus 22.05: the generated code by HaProxy-GUI

rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }

used by the checkbox /backend settings ... HSTS / Cookie protection is obsolete.
So I fix it - temporary - by disabling the checkbox but adding the following "Backend pass thru":

http-response replace-header Set-Cookie "^((?:(?!; [Ss]ecure\b).)*)\$" "\1; secure" if { ssl_fc }

Still waiting for a fix in the GUI of haproxy.


Related issues

Has duplicate Bug #14536: Backend cookie protection option generates invalid haproxy config fileDuplicate

Actions
Actions #1

Updated by Kris Phillips over 1 year ago

Hello,

Is this present on the stable or devel branch? Or both?

Actions #2

Updated by Johannes Goldynia over 1 year ago

Hello,

the bug is there if the haproxy package installation dependency is set to use
haproxy22-2.2.22 (no more "rspirep" support)

If it is to the "old"
haproxy18-1.8.30
it is OK because "rspirep" is supported ...

It is on the stable branch pfsense plus 22.05 together with haproxy (NOT devel).

BR Johannes

Actions #3

Updated by Kris Phillips over 1 year ago

  • Status changed from New to Confirmed

Here is the error message in 2.0 of HAProxy:

The 'rspirep' directive is deprecated in favor of 'http-response replace-header' and will be removed in next version.

The function needs to be changed on the webConfigurator interface to represent the new way of formatting this, as it'll affect devel as well.

Actions #4

Updated by Alexandre J about 1 year ago

Hello,

Thank you Johannes Goldynia for the work-around, this worked for me too.

Is the fix in the GUI function difficult to put in place? I don't see any due date for that bug to be corrected.

Actions #5

Updated by Jim Pingle 9 months ago

  • Has duplicate Bug #14536: Backend cookie protection option generates invalid haproxy config file added
Actions #6

Updated by Jim Pingle 9 months ago

  • Subject changed from haproxy to HAproxy cookie protection syntax needs updated
Actions #7

Updated by Alfredo Pironti 9 months ago

Sorry for the duplicate report; for some reason I missed this one.

I've now prepared a pull request https://github.com/pfsense/FreeBSD-ports/pull/1272 based on the temporary fix proposed in this original bug report.

Hope this helps!

Actions #8

Updated by Jim Pingle 9 months ago

  • Status changed from Confirmed to Pull Request Review
Actions #9

Updated by Jim Pingle 8 months ago

  • Status changed from Pull Request Review to Feedback

PR merged, thanks!

Packages are building for Plus 23.05.1 and CE 2.7.0, they will be available shortly.

Actions #10

Updated by Johannes Goldynia 8 months ago

Hello,

it works now together with the haproxy version 0.61_11.
Thanks!

Actions #11

Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF