You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Ross Golder (JIRA)" <ji...@apache.org> on 2018/04/18 10:15:00 UTC
[jira] [Created] (GUACAMOLE-548) Guacamole cookie does not contain
the 'secure' attribute
Ross Golder created GUACAMOLE-548:
-------------------------------------
Summary: Guacamole cookie does not contain the 'secure' attribute
Key: GUACAMOLE-548
URL: https://issues.apache.org/jira/browse/GUACAMOLE-548
Project: Guacamole
Issue Type: Bug
Affects Versions: 0.9.14
Reporter: Ross Golder
Attachments: Screen Shot 2018-04-17 at 11.26.22.png
One of my colleagues is doing a security audit of our internal network services, which includes our Guacamole instance. Using 'Qualsys Freescan' he gets the following error:
"Cookie Does not contain the 'secure' attribute."
(see attached screenshots)
The setup is a Linux VM running the latest (0.9.14) 'guacamole/guacamole' and 'guacamole/cd' containers being an nginx SSL reverse proxy. The nginx configuration is as per the recommended documentation:
{code:java}
server {
listen 443 ssl;
server_name guacamole.ourdomain.com;
ssl_certificate /etc/letsencrypt/live/guacamole.ourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guacamole.ourdomain.com/privkey.pem;
location = /auth {
proxy_pass https://...(redacted);
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
auth_request /auth;
proxy_pass http://guacamole-lb:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Forwarded proto=$scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
gzip off;
}
}
{code}
As far as I can see, Guacamole should determine that it's being served via an https connection that it can be configured to generate 'secure' cookie headers. I've tried adding 'X-Forwarded-Proto', 'X-Forwarded-Protocol' and the newer 'Forwarded' headed but the cookies are issues as 'httponly' regardless.
Please advise.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)