reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)

* reverseproxy: cookie should be Secure and SameSite=None when TLS

* Update modules/caddyhttp/reverseproxy/selectionpolicies_test.go

Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>

---------

Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
This commit is contained in:
Sam Ottenhoff 2024-02-23 14:45:58 -05:00 committed by GitHub
parent 4512be49a9
commit da6a569e85
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 66 additions and 2 deletions

View file

@ -655,12 +655,22 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http
if err != nil {
return upstream
}
http.SetCookie(w, &http.Cookie{
cookie := &http.Cookie{
Name: s.Name,
Value: sha,
Path: "/",
Secure: false,
})
}
isProxyHttps := false
if trusted, ok := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool); ok && trusted {
xfp, xfpOk, _ := lastHeaderValue(req.Header, "X-Forwarded-Proto")
isProxyHttps = xfpOk && xfp == "https"
}
if req.TLS != nil || isProxyHttps {
cookie.Secure = true
cookie.SameSite = http.SameSiteNoneMode
}
http.SetCookie(w, cookie)
return upstream
}

View file

@ -658,6 +658,9 @@ func TestCookieHashPolicy(t *testing.T) {
if cookieServer1.Name != "lb" {
t.Error("cookieHashPolicy should set a cookie with name lb")
}
if cookieServer1.Secure {
t.Error("cookieHashPolicy should set cookie Secure attribute to false when request is not secure")
}
if h != pool[0] {
t.Error("Expected cookieHashPolicy host to be the first only available host.")
}
@ -687,6 +690,57 @@ func TestCookieHashPolicy(t *testing.T) {
}
}
func TestCookieHashPolicyWithSecureRequest(t *testing.T) {
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
defer cancel()
cookieHashPolicy := CookieHashSelection{}
if err := cookieHashPolicy.Provision(ctx); err != nil {
t.Errorf("Provision error: %v", err)
t.FailNow()
}
pool := testPool()
pool[0].Dial = "localhost:8080"
pool[1].Dial = "localhost:8081"
pool[2].Dial = "localhost:8082"
pool[0].setHealthy(true)
pool[1].setHealthy(false)
pool[2].setHealthy(false)
// Create a test server that serves HTTPS requests
ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
h := cookieHashPolicy.Select(pool, r, w)
if h != pool[0] {
t.Error("Expected cookieHashPolicy host to be the first only available host.")
}
}))
defer ts.Close()
// Make a new HTTPS request to the test server
client := ts.Client()
request, err := http.NewRequest(http.MethodGet, ts.URL+"/test", nil)
if err != nil {
t.Fatal(err)
}
response, err := client.Do(request)
if err != nil {
t.Fatal(err)
}
// Check if the cookie set is Secure and has SameSiteNone mode
cookies := response.Cookies()
if len(cookies) == 0 {
t.Fatal("Expected a cookie to be set")
}
cookie := cookies[0]
if !cookie.Secure {
t.Error("Expected cookie Secure attribute to be true when request is secure")
}
if cookie.SameSite != http.SameSiteNoneMode {
t.Error("Expected cookie SameSite attribute to be None when request is secure")
}
}
func TestCookieHashPolicyWithFirstFallback(t *testing.T) {
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
defer cancel()