reverseproxy: cookie should be Secure and SameSite=None when TLS

caddyserver · Feb 20, 2024 · 3c93f63 · 3c93f63
1 parent b893c8c
commit 3c93f63
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 2 deletions.
diff --git a/modules/caddyhttp/reverseproxy/selectionpolicies.go b/modules/caddyhttp/reverseproxy/selectionpolicies.go
@@ -655,12 +655,19 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http
 		if err != nil {
 			return upstream
 		}
-		http.SetCookie(w, &http.Cookie{
+		cookie := &http.Cookie{
 			Name:   s.Name,
 			Value:  sha,
 			Path:   "/",
 			Secure: false,
-		})
+		}
+		trusted := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool)
+		xfp, ok, _ := lastHeaderValue(req.Header, "X-Forwarded-Proto")
+		if req.TLS != nil || (trusted && ok && xfp == "https") {
+			cookie.Secure = true
+			cookie.SameSite = http.SameSiteNoneMode
+		}
+		http.SetCookie(w, cookie)
 		return upstream
 	}
 

diff --git a/modules/caddyhttp/reverseproxy/selectionpolicies_test.go b/modules/caddyhttp/reverseproxy/selectionpolicies_test.go
@@ -658,6 +658,9 @@ func TestCookieHashPolicy(t *testing.T) {
 	if cookieServer1.Name != "lb" {
 		t.Error("cookieHashPolicy should set a cookie with name lb")
 	}
+	if cookieServer1.Secure != false {
+		t.Error("cookieHashPolicy should set cookie Secure attribute to false when request is not secure")
+	}
 	if h != pool[0] {
 		t.Error("Expected cookieHashPolicy host to be the first only available host.")
 	}
@@ -687,6 +690,57 @@ func TestCookieHashPolicy(t *testing.T) {
 	}
 }
 
+func TestCookieHashPolicyWithSecureRequest(t *testing.T) {
+    ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
+    defer cancel()
+    cookieHashPolicy := CookieHashSelection{}
+    if err := cookieHashPolicy.Provision(ctx); err != nil {
+        t.Errorf("Provision error: %v", err)
+        t.FailNow()
+    }
+
+    pool := testPool()
+    pool[0].Dial = "localhost:8080"
+    pool[1].Dial = "localhost:8081"
+    pool[2].Dial = "localhost:8082"
+    pool[0].setHealthy(true)
+    pool[1].setHealthy(false)
+    pool[2].setHealthy(false)
+
+    // Create a test server that serves HTTPS requests
+    ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        h := cookieHashPolicy.Select(pool, r, w)
+        if h != pool[0] {
+            t.Error("Expected cookieHashPolicy host to be the first only available host.")
+        }
+    }))
+    defer ts.Close()
+
+    // Make a new HTTPS request to the test server
+    client := ts.Client()
+    request, err := http.NewRequest(http.MethodGet, ts.URL+"/test", nil)
+    if err != nil {
+        t.Fatal(err)
+    }
+    response, err := client.Do(request)
+    if err != nil {
+        t.Fatal(err)
+    }
+
+    // Check if the cookie set is Secure and has SameSiteNone mode
+    cookies := response.Cookies()
+    if len(cookies) == 0 {
+        t.Fatal("Expected a cookie to be set")
+    }
+    cookie := cookies[0]
+    if !cookie.Secure {
+        t.Error("Expected cookie Secure attribute to be true when request is secure")
+    }
+    if cookie.SameSite != http.SameSiteNoneMode {
+        t.Error("Expected cookie SameSite attribute to be None when request is secure")
+    }
+}
+
 func TestCookieHashPolicyWithFirstFallback(t *testing.T) {
 	ctx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
 	defer cancel()