specimen
Reputation: 1765
ServiceStack Secure cookie when HTTPS is terminated on the load balancer
In ServiceStack, the HostConfig flag UseSecureCookies = true will mark cookies as Secure when transmitted over HTTPS.
However, in the real world, it is common to have SSL terminated at the load balancer, and then use HTTP on the inside (i.e. Internet --https--> LB --http--> application)
How can I achieve secure HTTPS cookies in this case?
Upvotes: 1
Views: 322
Answers (1)
mythz
Reputation: 143409
Secure cookies can only be transmitted over HTTPS, ServiceStack will still emit Secure Cookies behind a SSL terminated proxy, provided it correctly sets the X-Forwarded-Proto: https downstream HTTP Header.
E.g. here's a typical example of a SSL Terminated nginx reverse proxy:
server {
listen 80;
server_name my-app.org;
location / {
proxy_pass http://localhost:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_cache_bypass $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
client_max_body_size 500m;
}
}
Upvotes: 2
Related Questions
- Allow cookie on unsecure domain
- Control the cookiedomain in servicestack based on the incoming request
- secure session cookie in servicestack
- ServiceStack don`t save session cookies after login request form cross domen
- HTTPS Urls When SSL Terminated At Load Balancer
- Servicestack serverless example - authenticated services fail
- Loadbalancer SSL Termination & secure cookie
- IIS: How to simulate SSL termination on load balancer
- Load balancer SSL termination with spring security
- ServiceStack authentication