diff options
| author | Sam Ottenhoff <[email protected]> | 2024-02-23 14:45:58 -0500 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-02-23 12:45:58 -0700 |
| commit | da6a569e859f4dfbbebfd084060e15d940de8861 (patch) | |
| tree | beebdd8ae9df048f57a98e2a0185c633d47623ff /modules/caddyhttp/reverseproxy/selectionpolicies.go | |
| parent | 4512be49a9fa55270e9afa632be9ff6c9560c455 (diff) | |
| download | caddy-da6a569e859f4dfbbebfd084060e15d940de8861.tar.gz caddy-da6a569e859f4dfbbebfd084060e15d940de8861.zip | |
reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
* reverseproxy: cookie should be Secure and SameSite=None when TLS
* Update modules/caddyhttp/reverseproxy/selectionpolicies_test.go
Co-authored-by: Mohammed Al Sahaf <[email protected]>
---------
Co-authored-by: Mohammed Al Sahaf <[email protected]>
Diffstat (limited to 'modules/caddyhttp/reverseproxy/selectionpolicies.go')
| -rw-r--r-- | modules/caddyhttp/reverseproxy/selectionpolicies.go | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/modules/caddyhttp/reverseproxy/selectionpolicies.go b/modules/caddyhttp/reverseproxy/selectionpolicies.go index b56c8074c..b6f807c16 100644 --- a/modules/caddyhttp/reverseproxy/selectionpolicies.go +++ b/modules/caddyhttp/reverseproxy/selectionpolicies.go @@ -655,12 +655,22 @@ func (s CookieHashSelection) Select(pool UpstreamPool, req *http.Request, w http if err != nil { return upstream } - http.SetCookie(w, &http.Cookie{ + cookie := &http.Cookie{ Name: s.Name, Value: sha, Path: "/", Secure: false, - }) + } + isProxyHttps := false + if trusted, ok := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool); ok && trusted { + xfp, xfpOk, _ := lastHeaderValue(req.Header, "X-Forwarded-Proto") + isProxyHttps = xfpOk && xfp == "https" + } + if req.TLS != nil || isProxyHttps { + cookie.Secure = true + cookie.SameSite = http.SameSiteNoneMode + } + http.SetCookie(w, cookie) return upstream } |