I'm using Nginx as a reverse proxy server. Is it possible to Remove the "secure" flag to the cookies somehow using Nginx? Modifying the path is possible so I guess it's also possible to modify cookie.
An imperfect method:
proxy_cookie_path "~*^(.*?)$" $1\nX-User-Value:;
I know this is quite old question, but there is no answer here and I couldn't find fine solution for the same problem.
So I forked nginx_cookie_flag_module module and changed it to nginx_unsecure_cookie_module:
https://github.com/yumauri/nginx_unsecure_cookie_module
I'm frontend developer, my C/C++ knowledges are super low, but looks like it is working in my tests :) So I reckon it is good enough for development reasons.
Since nginx 1.19.3 you can use http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags. For example:
proxy_cookie_flags some_cookie nosecure;
To remove the Secure flag from all cookies:
proxy_cookie_flags ~ nosecure;
Related
Premise
I need a way to remove the X-Frame-Options header from the responses from a few websites before those responses reach my browser.
I am doing this so that I can properly render my custom kiosk webpage, which has iframes that point to websites that don't want to show up in frames.
What I have tried
I have tried setting up a proxy using squid and configuring its reply_header_access option to deny X-Frame-Options headers as the server receives them, but that is for some reason not working as anticipated. I have verified that I am indeed going through the Squid proxy, and I have verified that the X-Frame-Options header persists despite my squid.conf file containing the following:
reply_header_access X-Frame-Options deny all
and having built squid (using Homebrew on my Mac) with the --enable-http-violations option.
Having chased down a lot of what might have gone wrong with this approach, I have decided that the reply_header_access option must not do exactly what I thought it does (modify headers before returning them to the client).
So, I tried using another proxy server. After reading a Stack Overflow question asking about a situation roughly similar to mine, I decided I might try using the node-http-proxy library. However, I have never used Node before, so I got lost pretty quickly and am stuck at a point where I am not sure how to implement the library for my specific purpose.
Question
Using Node seems like a potentially very easy solution, so how can I set up a proxy using Node that removes the X-Frame-Options header from responses?
Alternatively, why is Squid not removing the header even though I tried to set it up to do so?
Final alternative: Is there an easier way to reach my ultimate goal of rendering any page I want within an iframe?
I used a proxy, specifically mitmproxy with the following script:
drop_unwanted_headers.py:
import mitmproxy
def requestheaders(flow: mitmproxy.http.HTTPFlow) -> None:
for each_key in flow.request.headers:
if each_key.casefold().startswith("sec-".casefold()):
flow.request.headers.pop(each_key)
def responseheaders(flow: mitmproxy.http.HTTPFlow) -> None:
if "x-frame-options" in flow.response.headers:
flow.response.headers.pop("x-frame-options")
if "content-security-policy" in flow.response.headers:
flow.response.headers.pop("content-security-policy")
To run it, do:
mitmproxy --script drop_unwanted_headers.py
Also ensure that your proxy settings point to the computer where the proxy server is running (maybe localhost) and the correct port is used.
I've run into an issue where the post-login redirect in Flask-Security is not keeping to HTTPS and is instead making an HTTP request. In some instances this is causing an error.
Ideally my nginx config would redirect all requests on :80 to :443 automatically, but apparently this is problematic as well. While I sort out the nginx issue I would really like to force Flask Security to always use HTTPS.
My current var for this is just:
SECURITY_POST_LOGIN_VIEW = '/logged-in'
The documentation says an endpoint name can be used as well, but it does not say what the format for that is. Do you just provide the endpoint name or is it wrapped in a url_for()?
Is there a way to force Flask Security to always use HTTPS, either in this particular instance or as a whole?
I have the same issue before. In fact, because of this limitation. I started to use flask-jwt instead of flask-security. Here is the link to the project https://pythonhosted.org/Flask-JWT/
I don't have an answer about Flask-Security itself, but you can force all HTTP traffic to redirect to HTTPS with Google's Flask-Talisman. That will fix the problem no matter what library you're using.
An old but important questions. I spent too much time working through this but here goes:
The answer is that Flask's url_for() is returning a relative url such as '/logged-in'.
werkzeug by default (via its autocorrect_location_header = True Response option) creates a fully qualified URL.
Where does it get the scheme and server?
It gets it by calling wsgi.get_current_url() -
which for scheme uses: environ["wsgi.url_scheme”]
Assuming you are using uwsgi https://uwsgi-docs.readthedocs.io/en/latest/ - it seems to look at the variables
UWSGI_SCHEME and HTTP_X_FORWARDED_PROTO and if neither are set then look at the variable HTTPS, else set wsgi.url_scheme=“http”
Most examples of setting up uwsgi+python say to place this (and others) in your
uwsgi_params file that is included in your nginx config:
uwsgi_param HTTPS $https if_not_empty;
I believe that simply setting:
uwsgi_param UWSGI_SCHEME https;
in your nginx config would force flask to believe the request was https regardless.
I use AWS ALB which seems to set all the relevant X-FORWARDED-xxx headers so
things just work.
If you need to handle both http and https and your LB doesn’t set
the headers - then the werkzeug folks have an answer - https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix
Endpoint name is the name of the view function.
Basically, if your desired route is decorating the show_home function,
app.config['SECURITY_POST_LOGIN_VIEW'] = 'show_home'
#app.route('/your-route')
def show_home():
...
PS: I am not sure what was the situation when the question was posted, but I describe the situation for Flask-security-too==4.0
I want to create a proxy server with nodejs, it could be a web-proxy(like glype in php) or a proxy which we enter in browser.
The main motive is to save specific files(that match certain mime type) to HDD.
First of all I tried to use http-proxy module but it didn't allowed me to create a proxy server that accepts HTTPS. Also I didn't found any way to save files.(please correct me If I'm wrong)
Then, I tried node-unblocker, its just perfect but the only problem is its Limitations(listed here).
Please, could somebody help me out in doing this.
Keep in mind that, by default, your proxy solution wouldn't be able to eavesdrop https traffic as that would be considered a security breach. More precisely, you'd be doing #2 of this list.
You could theoretically implement a solution where your proxy server has its own SSL certificate and you include it in your trusted CA list in all the devices you plan on using this proxy. Much like Charles Proxy, Fiddler and other proxy programs do for debugging purposes.
We are using lighttpd web server in our code base. It is that we need to add SECURE and HTTP ONLY flags for the cookie.
I have gone through many examples but all are related to PHP and some other kanguage. We don't use PHP in our code. Is there anyway that I can get this? Can anything be done in the .conf file like in apache web server.
I have tested apache web server by adding changes in the httpd.conf and checked the packet capture. It worked. But unable to achieve this in lighttpd.
We use C language in the backend.
Well, To answer my own question.
There is nothing to do with the lighttpd.conf as of httpd.conf for apache.
We are setting the cookie header in a lua file(Kepler). Appending secure to that cookie header fixed the issue.
I have a CppCMS based application and I cant use IIS's FastCGI connector as
it is broken for my use thus I want to try to
use the internal HTTP server designed for debug purposes behind IIS.
I it is quite simple web server for an application that handles basic HTTP/1.0 requests
and does not care too much about security like DoS, file serving and more.
So I'd like to know if it is possible to use IIS in front of such application such that
it would:
Sanitize all requests - ensure that they are proper HTTP
Handle all DoS issues like timeouts
Serve the static files.
Is this something that can be configured and done at all?
I would suggest this is the wrong way of doing this. I would use a web server like Nginx to proxy the requests through to backend server. It is very configurable and you will find a lot of articles with doing it to Apache.
We just did something like this. You want the URL Rewriter module. You can use it to sanitize the URLs, however, it isn't going to sanitize the payload. Which is to say, you can make sure that the URLs that hit your box are very specific ones, e.g. not attempts to hits CGI, but you can't use it to make sure that the contents of an upload are safe.
ModSecurity is out for IIS now, it can handle lots of the security related issues.