Nginx – proxy_cookie_path not working in nginx

nginxnginx-locationnginx-reverse-proxy

what ever cookie response is coming from my backend Server. I want to change PATH value in cookie request.

After learing from nginx, i was asked to use proxy_cookie_path directive

So I have been trying to use proxy_cookie_path directive field in my nginx configuration.

Here is response from nginx back to client.
Trying to change value of PATH from / to /abc/xyz/120

HTTP/1.1 201 CREATED
Server: nginx
Date: Thu, 31 Aug 2017 12:16:10 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Cookie
X-Frame-Options: SAMEORIGIN
Allow: POST, OPTIONS
Set-Cookie: expires=Thu, 30-Aug-2018 12:19:09 GMT; Max-Age=31449600; Path=/
Strict-Transport-Security: max-age=15768000

And here are nginx rules 

 # proxy needed for auth to work
   location /tron/api/v1/ {

   proxy_ssl_session_reuse off;
  # End of extra settings
   proxy_set_header        X-Real-IP $remote_addr;
   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

   proxy_set_header        X-Forwarded-Host $host;
   proxy_set_header        X-Forwarded-Server $host;

  # End of extra settings
    proxy_set_header        X-Scheme $scheme;

   location ~ ^/tron/api/v1/(.*) {

  if ($cookie_VD_TYPE = "XYZ") {

  proxy_pass              https://10.132.250.$cookie_XYZ/tron/api/v1/$1$is_args$args;
  proxy_cookie_path off;
  proxy_cookie_path      / /abc/xyz/120;

 }

  proxy_pass            https://10.132.250.$cookie_ABC/tron/api/v1/$1$is_args$args;
 }
}

So Problem is when i added

proxy_cookie_path off;
proxy_cookie_path / /abc/xyz/120;

Using this directive gives me error 

 "proxy_cookie_path" directive is not allowed here in /etc/nginx/sites-enabled/default

I have checked my nginx -V to know if it installed.
So my question here is :-

  1. Is it correct approach i.e. proxy_cookie_path is solution ?

  2. If proxy_cookie_path is solution then i am not placing it on correct place. Correct me if i am wrong.

nginx/1.10.1 built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support
enabled configure arguments: –with-cc-opt='-g -O2 -fstack-protector
–param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' –with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –http-log-path=/var/log/nginx/access.log –error-log-path=/var/log/nginx/error.log –lock-path=/var/lock/nginx.lock –pid-path=/run/nginx.pid –modules-path=/usr/lib/nginx/modules –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –with-debug –with-pcre-jit –with-ipv6 –with-http_ssl_module –with-http_stub_status_module –with-http_realip_module –with-http_auth_request_module –with-http_v2_module –with-http_dav_module –with-http_slice_module –with-threads –with-http_addition_module –with-http_flv_module –with-http_geoip_module=dynamic –with-http_gunzip_module –with-http_gzip_static_module –with-http_image_filter_module=dynamic –with-http_mp4_module –with-http_perl_module=dynamic –with-http_random_index_module –with-http_secure_link_module –with-http_sub_module –with-http_xslt_module=dynamic –with-mail=dynamic –with-mail_ssl_module –with-stream=dynamic –with-stream_ssl_module –add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/headers-more-nginx-module
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-auth-pam –add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-cache-purge
–add-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-dav-ext-module
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-development-kit –add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-echo
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/ngx-fancyindex –add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nchan
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-lua
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-upload-progress –add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/nginx-upstream-fair
–add-dynamic-module=/build/nginx-JCHwcf/nginx-1.10.1/debian/modules/ngx_http_substitutions_filter_module

Best Answer

You need to use proxy_cookie_pathoutside of if block. proxy_cookie_path is only allowed in http, server, location. So you can use it inside a if block inside location.

Edit-1

If for some reason still need to do this. Try below config

location /tron/api/v1/ {
  error_page 418 = @xyz_cookie;

  recursive_error_pages on;
  proxy_ssl_session_reuse off;
  # End of extra settings
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;

  # End of extra settings
  proxy_set_header X-Scheme $scheme;

  if ($cookie_VD_TYPE = "XYZ") {
    return 418;
  }

  proxy_pass https://10.132.250.$cookie_ABC/tron/api/v1/$1$is_args$args;
}

location @xyz_cookie {
  proxy_ssl_session_reuse off;
  # End of extra settings
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-Server $host;

  # End of extra settings
  proxy_set_header X-Scheme $scheme;

  proxy_pass   https://10.132.250.$cookie_XYZ/tron/api/v1/$1$is_args$args;
  proxy_cookie_path      / /abc/xyz/120;
}

Read If is Evil to know more about issues with IF

Related Topic