http and https to same backend host?
I am wondering if it is possible to go from http://thissite.com/something to https://thissite.com/somethingelse without losing the sticky session. Currently I have x.x.x.x:80 and x.x.x.x:443 in different backend groups so the session cookie gets set differently depending on whether the site gets accessed via SSL or not. I'm not sure of any different way of getting around doing it this way. We are trying to move from Amazon ELB to NGINX but this is a big roadblock for us. Any help would be appreciated.
Thanks, Garrett
Comments (7)
-
-
repo owner - changed status to open
-
repo owner hi garrett,
from a first look i think it would be impossible when using different upstream-configs to use the same routing-cookie.
i'd need to talk to our devs for a final answer.
mex
-
repo owner -
assigned issue to
-
assigned issue to
-
One work around this is, pass the protocol as header and use it. We use HAPROXY for ssl termination, so we do:
HAPROXY: http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } http-request add-header X-Forwarded-Proto http if !{ ssl_fc } backend admin stick-table type ip size 200k expire 30m stick on src cookie WEBSID insert indirect maxidle 90m server web1 <ip> cookie w1 check port 80 NGINX: rewrite ^/s(/)?$ $http_x_forwarded_proto://$host/tour permanent; rewrite ^/r(/)?$ $http_x_forwarded_proto://$host/tour permanent;
-
repo owner - changed status to resolved
-
repo owner i wouldnt prefer this soultion; this looks like a insecure sultion und would render the Secure-Flag for cookie quite useless, woulkd allow firesheepo-attacks etc.
i wouldnt like and allow such a solution, thus dont support this request due to security-concerns.
go for full https on your sites, use HSTS-headers and Cookie/Secure/HTTPOnly and you are fine.
cheers,
s.goodman
- Log in to comment
+1 I too am facing same issue..