http and https to same backend host?

Issue #10 resolved
Former user created an issue

I am wondering if it is possible to go from http://thissite.com/something to https://thissite.com/somethingelse without losing the sticky session. Currently I have x.x.x.x:80 and x.x.x.x:443 in different backend groups so the session cookie gets set differently depending on whether the site gets accessed via SSL or not. I'm not sure of any different way of getting around doing it this way. We are trying to move from Amazon ELB to NGINX but this is a big roadblock for us. Any help would be appreciated.

Thanks, Garrett

Comments (7)

  1. S. Goodman repo owner

    hi garrett,

    from a first look i think it would be impossible when using different upstream-configs to use the same routing-cookie.

    i'd need to talk to our devs for a final answer.

    mex

  2. gattu sevalkar

    One work around this is, pass the protocol as header and use it. We use HAPROXY for ssl termination, so we do:

    HAPROXY:
    
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }
        http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
    
    backend admin
        stick-table type ip size 200k expire 30m
        stick on src
        cookie WEBSID insert indirect maxidle 90m
        server web1 <ip> cookie w1 check port 80
    
    NGINX: 
    
      rewrite ^/s(/)?$ $http_x_forwarded_proto://$host/tour permanent;
      rewrite ^/r(/)?$ $http_x_forwarded_proto://$host/tour permanent;
    
  3. S. Goodman repo owner

    i wouldnt prefer this soultion; this looks like a insecure sultion und would render the Secure-Flag for cookie quite useless, woulkd allow firesheepo-attacks etc.

    i wouldnt like and allow such a solution, thus dont support this request due to security-concerns.

    go for full https on your sites, use HSTS-headers and Cookie/Secure/HTTPOnly and you are fine.

    cheers,

    s.goodman

  4. Log in to comment