I have a reverse proxy but for security reasons, I need to force the
client to work the closest to an Incognito session as possible.
I tried adding the following:
proxy_set_header Cookie "";
add_header Set-Cookie "cookie_name=; Expires=Thu, 01 Jan 1970 00:00:01 GMT;"; }
but it still does not work correctly.
Is there a way to do this?
On Sat, Dec 16, 2023 at 02:16:45PM -0500, Saint Michael wrote:
Hi there,
> I have a reverse proxy but for security reasons, I need to force the
> client to work the closest to an Incognito session as possible.
I suspect that that can only reliably be done by telling the client to
use an Incognito session. nginx-in-the-middle will not be able to do it,
without lots of extra state being stored across requests. (Which may
well be doable by you writing the code to do it; but I suspect that it
can't be done purely in stock nginx configuration.)
> I tried adding the following:
>
> proxy_set_header Cookie "";
> add_header Set-Cookie "cookie_name=; Expires=Thu, 01 Jan 1970 00:00:01 GMT;"; }
>
> but it still does not work correctly.
I suspect that it will be useful to learn what exactly you consider an
Incognito session to be.
My understanding is that, among other things, the client will choose
not to send any cookies that had been set outside of this session, but
will choose to send cookies that were set within this session. If that
is correct, then "never sending cookies" is not the correct design.
The client can know when the cookies that it has were set; for nginx
to know that, it would need to keep track of the Set-Cookie responses
for each client, and only allow through matching Cookie requests from
the matching client. And by default, nginx does not know or care about
that information.
> Is there a way to do this?
Probably not trivially.
Good luck with it!
f
--
Francis Daly francis at daoine.org
On 16/12/2023, Saint Michael <venefax at gmail.com> wrote:
> I have a reverse proxy but for security reasons, I need to force the
> client to work the closest to an Incognito session as possible.
> I tried adding the following:
>
> proxy_set_header Cookie "";
> add_header Set-Cookie "cookie_name=; Expires=Thu, 01 Jan 1970 00:00:01
> GMT;"; }
>
> but it still does not work correctly.
>
> Is there a way to do this?
Copied from my 2013 answer at https://serverfault.com/a/467774:
This can be addressed through nginx with the following directives
placed within the server context:
proxy_hide_header Set-Cookie;
proxy_ignore_headers Set-Cookie;
# important! Remember the special inheritance rules for proxy_set_header:
# http://nginx.org/ru/docs/http/ngx_http_proxy_module.html#proxy_set_header
proxy_set_header Cookie "";
All three directives above are very important:
* proxy_hide_header ensures the header will not be passed back to the client,
* proxy_ignore_headers ensures that the header will not automatically
disable caching within nginx and, finally,
* proxy_set_header ensures that a client cannot pass any prior cookies
to the webapp and spoil your cache.
Note my comment regarding proxy_set_header inheritance — you cannot
nest this directive (have to define all or none at a given level).
C.