Support SameSite parameter for the persistence cookie

[haraldschilly]

Output of haproxy -vv and uname -a

# haproxy -vv
HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-Mxbbv4/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE
=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.1  11 Sep 2018 (VERSIONS DIFFER!)
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

# uname -a
Linux proxy-795c7fbfd9-rbvcg 4.15.0-1037-gcp #39-Ubuntu SMP Wed Jul 3 06:28:59 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

What should haproxy do differently? Which functionality do you think we should add?

There is a "cookie" within HAproxy, which makes connections stick to specific services.
This cookie doesn't support setting the samesite paramter, with values like lax|strict|none.

What are you trying to do?

My use case is a service, which is embedded into an IFrame by others.
This means, any cookies by that service count as "third party cookies".

Discourse discussion: https://discourse.haproxy.org/t/set-samesite-none-for-haproxies-cookie/4483/5

The more general background is an upcoming change in Chrome and other browsers.
They're going to handle such cookies differently.

https://web.dev/samesite-cookie-recipes/

Any cookies used by that site will be considered as third-party cookies when the site is displayed within the frame.

and

For cookies needed in a third-party context, you will need to ensure they are marked as SameSite=None; Secure.

[lukastribus]

Let's also discuss:

Should we implement a samesite option specifically or a rather generic option so that users can add whatever parameter they require?

I'd personally opt for the latter, which makes this more flexible.

[haraldschilly]

Well, if you ask me, a generic option with more flexibility sounds great.

[wtarreau]

That's exactly the same question that came to my mind reading this and I came to the same conclusion. However we probably need to think in terms of multiple attributes, or we risk to face the issue again once someone needs "samesite" and something else.

[gonmf]

Hello everyone.

For the more general background, version 80 of Chrome is scheduled to be rolled out on February 6. This will mean a lot of users will suddenly start different connections for requests to the same HA instance.

[mbride]

Hello, any update planned for this point? Sticky cookies will not be sent anymore for sites embedded in iframe or in other browser tab if they are not on same domain. This will be blocking for many usecases.
Thank you

[capflam]

I submitted a patch on the mailing list to solve this issue. Idea is to add an attr option to add any attribute to the cookie:

   cookie SRV insert secure attr "SameSite=Strict"

Of course, the attr option may be repeated to add several attributes. It is simple and generic. It should do the trick. Any comments ?

[capflam]

I backported the feature as far as 1.8.

[svjacob]

@capflam thanks for the commit! I've got a noob question, when you say you backported it to 1.8, that means I can modify the build before compiling haproxy on 1.8 and it should work? Or does that mean that the actual src download from http://www.haproxy.org/ for 1.8 will include the fix, because it doesn't seem like the changes are in the 1.8 src there.

[haproxy-mirror]

It means that the code in the Git repository already has the commit, and that next 1.8 release will have it.

[lukastribus]

So in the meantime you can (links are for 1.8):

• pull from git (git clone http://git.haproxy.org/git/haproxy-1.8.git/)
• get a snapshot 20200124 or newer
• apply the patch manually

[dmazurek]

Here's a workaround if you can't upgrade: add a new frontend and backend in front of your listener that uses http-response replace-header to add the SameSite directive. For example:

frontend fe-samesite
    bind localhost:8080
    default_backend be-samesite

backend be-samesite
    server fe:8081 localhost:8081
    http-response replace-header Set-Cookie ^(sticky_cookie=.*) \1;\ SameSite=None

frontend fe
    bind localhost:8081
    default_backend be
    [...]

backend be
    server [...] cookie server1
    server [...] cookie server2
    cookie sticky_cookie insert secure
    [...]

This worked like a charm for me.

[mathieu-veron]

quick question for you @dmazurek , why a new front and back is needed, from my understanding, replace-header could have been on existing backend. no ?

[panosziogas]

Same question for me as @mathieu-veron above. Why can't we use the existing backend;

[lukastribus]

@mathieu-veron @panosziogas no, you cannot use the existing backend, because http-response replace-header works for headers that come from a backend's response, not for locally emitted headers like cookies that haproxy emits.

[anne01-code]

We running still haproxy 1.8.23 and are not able to use
cookie SRV insert secure attr "SameSite=Strict".

Is it also possible meanwhile to use in the backend:

rspirep ^(set-cookie:.*) \1;\ SameSite=None\ Secure

and is it syntax correct??

[anne01-code]

For the backend I used the following syntax

rspirep ^(set-cookie:.*) \1;\ SameSite=None;Secure

and this works fine to me.

In the meantime we need to upgrade to vs 1.8.24. So we can use the cookie option

[vpnsecure]

Chrome DevTools shows the following is working when inserting a new cookie.
cookie SRV insert secure attr "SameSite=None"
How do I add secure SameSite=None to all of the cookies emitted by the back-end server?

[Artemiy555]

Hi. Can add attr and domain?
So that there is no rewriting.