You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@guacamole.apache.org by "Ross Golder (JIRA)" <ji...@apache.org> on 2018/04/18 10:15:00 UTC

[jira] [Created] (GUACAMOLE-548) Guacamole cookie does not contain the 'secure' attribute

Ross Golder created GUACAMOLE-548:
-------------------------------------

             Summary: Guacamole cookie does not contain the 'secure' attribute
                 Key: GUACAMOLE-548
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-548
             Project: Guacamole
          Issue Type: Bug
    Affects Versions: 0.9.14
            Reporter: Ross Golder
         Attachments: Screen Shot 2018-04-17 at 11.26.22.png

 

One of my colleagues is doing a security audit of our internal network services, which includes our Guacamole instance. Using 'Qualsys Freescan' he gets the following error:

"Cookie Does not contain the 'secure' attribute."

(see attached screenshots)

The setup is a Linux VM running the latest (0.9.14) 'guacamole/guacamole' and 'guacamole/cd' containers being an nginx SSL reverse proxy. The nginx configuration is as per the recommended documentation:

 

 
{code:java}
server {
listen 443 ssl;
server_name guacamole.ourdomain.com;

ssl_certificate /etc/letsencrypt/live/guacamole.ourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guacamole.ourdomain.com/privkey.pem;

location = /auth {
proxy_pass https://...(redacted);
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location / {
auth_request /auth;
proxy_pass http://guacamole-lb:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header Forwarded proto=$scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
gzip off;
}
}

{code}
 

As far as I can see, Guacamole should determine that it's being served via an https connection that it can be configured to generate 'secure' cookie headers. I've tried adding 'X-Forwarded-Proto', 'X-Forwarded-Protocol' and the newer 'Forwarded' headed but the cookies are issues as 'httponly' regardless.

Please advise.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)