Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy - Cookie Protection

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 737 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      psmithusa
      last edited by

      We are currently using the HAProxy package on our pfSense. It does SSL decryption and then send inbound traffic to a set of backend web servers.

      We are leveraging Auth0 for the authentication for the web application and the token is through a cookie.

      To get this to work through HAProxy, on the Backend tab we create the backend pool and have to enable the Cookie Protection tick option.
      0c3da40e-236e-433a-ad7b-52006f4df8e0-image.png

      When we enable that we are greeted with a message that states:
      [WARNING] 296/104046 (11952) : parsing [/var/etc/haproxy/haproxy.cfg:57] : The 'rspirep' directive is deprecated in favor of 'http-response replace-header' and will be removed in next version.

      At this point I have been unable to locate where the 'http-response replace-header' is enabled through the pfSense interface and wondering how we turn this on instead to ensure our applications keep working when this next version is release/applied to our pfSense.

      Anyone run into this and know the fix/workaround for it?

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @psmithusa
        last edited by

        @psmithusa
        Hi, ive made a little fix for this in haproxy-devel, can you try it out?:
        https://github.com/pfsense/FreeBSD-ports/pull/972
        Just change the line of code from the old to the new in haproxy.inc file.. Or apply the patch for that file with system-patches package, or maybe wait for version 0.61 of the haproxy-devel package.. But it would be nice if you could maybe try before its 'officially' packaged..

        P 1 Reply Last reply Reply Quote 0
        • P
          psmithusa @PiBa
          last edited by

          @PiBa

          As this is a production system, let me stand up a test device and will execute your instructions there. If that goes well then I will execute on the production system to make sure it works for us.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.