mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 06:03:48 +03:00
reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
* reverseproxy: cookie should be Secure and SameSite=None when TLS * Update modules/caddyhttp/reverseproxy/selectionpolicies_test.go Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com> --------- Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
This commit is contained in:
parent
4512be49a9
commit
da6a569e85
2 changed files with 66 additions and 2 deletions
|
@ -655,12 +655,22 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return upstream
|
return upstream
|
||||||
}
|
}
|
||||||
http.SetCookie(w, &http.Cookie{
|
cookie := &http.Cookie{
|
||||||
Name: s.Name,
|
Name: s.Name,
|
||||||
Value: sha,
|
Value: sha,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
Secure: false,
|
Secure: false,
|
||||||
})
|
}
|
||||||
|
isProxyHttps := false
|
||||||
|
if trusted, ok := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool); ok && trusted {
|
||||||
|
xfp, xfpOk, _ := lastHeaderValue(req.Header, "X-Forwarded-Proto")
|
||||||
|
isProxyHttps = xfpOk && xfp == "https"
|
||||||
|
}
|
||||||
|
if req.TLS != nil || isProxyHttps {
|
||||||
|
cookie.Secure = true
|
||||||
|
cookie.SameSite = http.SameSiteNoneMode
|
||||||
|
}
|
||||||
|
http.SetCookie(w, cookie)
|
||||||
return upstream
|
return upstream
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -658,6 +658,9 @@ func TestCookieHashPolicy(t *testing.T) {
|
||||||
if cookieServer1.Name != "lb" {
|
if cookieServer1.Name != "lb" {
|
||||||
t.Error("cookieHashPolicy should set a cookie with name lb")
|
t.Error("cookieHashPolicy should set a cookie with name lb")
|
||||||
}
|
}
|
||||||
|
if cookieServer1.Secure {
|
||||||
|
t.Error("cookieHashPolicy should set cookie Secure attribute to false when request is not secure")
|
||||||
|
}
|
||||||
if h != pool[0] {
|
if h != pool[0] {
|
||||||
t.Error("Expected cookieHashPolicy host to be the first only available host.")
|
t.Error("Expected cookieHashPolicy host to be the first only available host.")
|
||||||
}
|
}
|
||||||
|
@ -687,6 +690,57 @@ func TestCookieHashPolicy(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCookieHashPolicyWithSecureRequest(t *testing.T) {
|
||||||
|
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
|
||||||
|
defer cancel()
|
||||||
|
cookieHashPolicy := CookieHashSelection{}
|
||||||
|
if err := cookieHashPolicy.Provision(ctx); err != nil {
|
||||||
|
t.Errorf("Provision error: %v", err)
|
||||||
|
t.FailNow()
|
||||||
|
}
|
||||||
|
|
||||||
|
pool := testPool()
|
||||||
|
pool[0].Dial = "localhost:8080"
|
||||||
|
pool[1].Dial = "localhost:8081"
|
||||||
|
pool[2].Dial = "localhost:8082"
|
||||||
|
pool[0].setHealthy(true)
|
||||||
|
pool[1].setHealthy(false)
|
||||||
|
pool[2].setHealthy(false)
|
||||||
|
|
||||||
|
// Create a test server that serves HTTPS requests
|
||||||
|
ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
h := cookieHashPolicy.Select(pool, r, w)
|
||||||
|
if h != pool[0] {
|
||||||
|
t.Error("Expected cookieHashPolicy host to be the first only available host.")
|
||||||
|
}
|
||||||
|
}))
|
||||||
|
defer ts.Close()
|
||||||
|
|
||||||
|
// Make a new HTTPS request to the test server
|
||||||
|
client := ts.Client()
|
||||||
|
request, err := http.NewRequest(http.MethodGet, ts.URL+"/test", nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
response, err := client.Do(request)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the cookie set is Secure and has SameSiteNone mode
|
||||||
|
cookies := response.Cookies()
|
||||||
|
if len(cookies) == 0 {
|
||||||
|
t.Fatal("Expected a cookie to be set")
|
||||||
|
}
|
||||||
|
cookie := cookies[0]
|
||||||
|
if !cookie.Secure {
|
||||||
|
t.Error("Expected cookie Secure attribute to be true when request is secure")
|
||||||
|
}
|
||||||
|
if cookie.SameSite != http.SameSiteNoneMode {
|
||||||
|
t.Error("Expected cookie SameSite attribute to be None when request is secure")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestCookieHashPolicyWithFirstFallback(t *testing.T) {
|
func TestCookieHashPolicyWithFirstFallback(t *testing.T) {
|
||||||
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
|
ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
Loading…
Reference in a new issue