Vulnerability and security scanners might alert when a HTTPS site does not contain the "secure" flag in the "set-cookie" response header.
This situation often happens when HTTPS/SSL offloading is used in front of the web application server. A reverse proxy or load balancer handles the encrypted https communication between the client and the infrastructure and then (often) communicates with plain HTTP to the application server in the internal network.
[Client] ----> https://jira.example.com [Reverse Proxy] ----> http://jiraserver.internal:8080 [Application Server]
The missing secure flag in the set-cookie header can be verified very quickly using curl:
$ curl -s https://jira.example.com -I|grep SESSION
set-cookie: JSESSIONID=CFAF22396081CF4330BD8E5A741F1AE7; Path=/; HttpOnly
Jira uses Tomcat in the background and Tomcat's server.xml should already be partially prepared for this setup, by setting the proxyName, proxyPort and the HTTP scheme to https:
<!-- Communication via Reverse Proxy jira.example.com -->
<Connector port="8080"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="jira.example.com"
proxyPort="443"
scheme="https" />
But that's not enough for Tomcat to enhance the "set-cookie" header with the secure flag. An additional parameter is required in the <Connector> context:
<!-- Communication via Reverse Proxy jira.example.com -->
<Connector port="8080"
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"
proxyName="jira.example.com"
proxyPort="443"
secure="true"
scheme="https" />
Here the secure="true" parameter was added to the Connector.
After a Jira restart (/etc/init.d/jira stop, followed by a /etc/init.d/jira start), the secure flag is now set:
$ curl -s https://jira.example.com -I|grep SESSION
set-cookie: JSESSIONID=4BCCC0389B0EA625F4B725E1DC415CD1; Path=/; Secure; HttpOnly
Of course this basically applies to all Tomcat servers (therefore also Atlassian Confluence).
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder