github.com/projectcontour/contour@v1.28.2/site/content/docs/v1.19.0/config/cookie-rewriting.md (about) 1 # Cookie Rewriting 2 3 Contour now enables users to customize attributes on HTTP `Set-Cookie` response headers. 4 Application specific cookies and cookies generated by Contour's ["cookie" load balancing strategy](https://projectcontour.io/docs/v1.19.0/config/request-routing/#session-affinity) can be rewritten either per HTTPProxy `Route` or `Service`. 5 Users can choose to rewrite the `Path`, `Domain`, `Secure`, and `SameSite` attributes of the `Set-Cookie` header currently. 6 These attributes may be things an application may not be able to accurately set, without prior knowledge of how the application is deployed. 7 For example, if Contour is in use to rewrite the path or hostname of a request before it reaches an application backend, the application may not be able to accurately set the `Path` and `Domain` attributes in a `Set-Cookie` response header. 8 This feature can be used to apply security settings to ensure browsers treat generated cookies appropriately. 9 The `SameSite` and `Secure` attributes are currently not set by Envoy when it generates the `X-Contour-Session-Affinity`, but with this feature, users can customize this cookie further. 10 11 ## Per-Route Cookie Rewriting 12 13 In order to implement separate cookie rewriting policies per-route, we can configure an HTTPProxy as below: 14 15 ```yaml 16 # cookie-rewrite-route.yaml 17 apiVersion: projectcontour.io/v1 18 kind: HTTPProxy 19 metadata: 20 name: cookie-rewrite-route 21 spec: 22 virtualhost: 23 fqdn: cookie-rewrite-route.com 24 routes: 25 - conditions: 26 - prefix: /admin 27 services: 28 - name: admin-app 29 port: 80 30 cookieRewritePolicies: 31 - name: X-Admin-Session 32 pathRewrite: 33 value: /admin 34 - conditions: 35 - prefix: /payments 36 services: 37 - name: payment-app 38 port: 80 39 cookieRewritePolicies: 40 - name: X-User-Session 41 pathRewrite: 42 value: /payments 43 sameSite: Lax 44 - name: X-User-Data 45 sameSite: Lax 46 ``` 47 48 This HTTPProxy allows us to rewrite the `Path` attribute of the `X-Admin-Session` cookie on the `/admin` route. 49 In addition on the `/payments` route we rewrite the `Path` and `SameSite` attributes of the `X-User-Session` cookie and the `SameSite` attribute of the additional `X-User-Data` cookie. 50 If the backing services `payment-app` and `admin-app` return the specified cookies in `Set-Cookie` response headers, they will be rewritten with the values specified above. 51 52 ## Per-Service Cookie Rewriting 53 54 Similar to the above, if we have more than one `Service` configured per `Route` but want to customize cookies separately between them we can: 55 56 ```yaml 57 # cookie-rewrite-service.yaml 58 apiVersion: projectcontour.io/v1 59 kind: HTTPProxy 60 metadata: 61 name: cookie-rewrite-service 62 spec: 63 virtualhost: 64 fqdn: cookie-rewrite-service.com 65 routes: 66 - conditions: 67 - prefix: / 68 services: 69 - name: backend-1 70 port: 80 71 cookieRewritePolicies: 72 - name: X-User-Data-1 73 domainRewrite: 74 value: cookie-rewrite-service.com 75 - name: backend-2 76 port: 80 77 cookieRewritePolicies: 78 - name: X-User-Data-2 79 domainRewrite: 80 value: cookie-rewrite-service.com 81 ``` 82 83 ## Rewriting Contour Session Affinity Cookie 84 85 As mentioned above, users can use Contour's cookie load balancing strategy to enable session affinity. 86 Envoy generates a pretty bare-bones cookie but Contour's cookie rewriting feature can be used to customize this cookie to add security attributes: 87 88 ```yaml 89 # cookie-rewrite-session-affinity.yaml 90 apiVersion: projectcontour.io/v1 91 kind: HTTPProxy 92 metadata: 93 name: cookie-rewrite-session-affinity 94 spec: 95 virtualhost: 96 fqdn: cookie-rewrite-session-affinity.com 97 routes: 98 - conditions: 99 - prefix: / 100 services: 101 - name: backend 102 port: 80 103 loadBalancerPolicy: 104 strategy: Cookie 105 cookieRewritePolicies: 106 - name: X-Contour-Session-Affinity 107 sameSite: Strict 108 secure: true 109 ```