I want to rewrite domains in the cookie when NGIX is acting as reverse
proxy. I see that NGIX support this using proxy_cookie_domain module.
But I am unable to find out where does it keep the original domain which
is
being replaced? In my opinion NGIX would need the original domain to
find
out where to send the cookie when it comes back to NIGX in next request.
Let’s says NGIX domain is: external.com
backend server #1 sets cookie domain as: server1.com
backend server #2 sets cookie domain as: server2.com
Both these domains are replaced by NGIX to NGIX’s domain so both
cookies’
domain is now external.com
when the request comes to NGIX, both these cookies will be sent by
browser
to NGIX, now how does NGIX decide which cookies to be sent to the
backend
server? it needs to keep the original domain mapping to find this how,
does
it keep somewhere?
Thanks for reply.
In case client is just a browser then it will send all the cookies with
NGIX
domain which means that NGIX will send all the cookies to backend server
irrespective of who initially set it in set-cookie header… This could
be a
security issue then.
On Fri, Feb 12, 2016 at 02:22:20PM -0500, nitin wrote:
Both these domains are replaced by NGIX to NGIX’s domain so both cookies’
domain is now external.com
when the request comes to NGIX, both these cookies will be sent by browser
to NGIX, now how does NGIX decide which cookies to be sent to the backend
server? it needs to keep the original domain mapping to find this how, does
it keep somewhere?
The domain is only present in Set-Cookie response headers, but it
is not available in HTTP requests. The client decides which
cookies to send back to nginx in the Cookie request header, and
nginx just passes the header with all cookies unmodified.
On Mon, Feb 15, 2016 at 01:29:01AM -0500, nitin wrote:
Thanks for reply.
In case client is just a browser then it will send all the cookies with NGIX
domain which means that NGIX will send all the cookies to backend server
irrespective of who initially set it in set-cookie header… This could be a
security issue then.
For sure - if you are using untrusted backend servers in your
domain this can be a security issue. Regardless of what nginx
does, actually - just Set-Cookie may be enough to be an issue.
Moreover, any javascript returned by a backend server will be able
to read all cookies as well.
Of course this should be considered when using multiple backend
servers within a single domain.