HAProxy community

Unable to set a cookie on 301 redirect

Good Afternoon,

I am attempting to do a 301 redirect from my old domain to my new domain, but to have a cookie in the redirect so I can have a popup greeting on my new domain for those who have been redirected. I have tried the following:
frontend https-external
log /dev/log local0 debug
option httplog
mode http
http-request set-header X-This-redirect This-redirect
maxconn 2048
bind vip-web:443 ssl crt /etc/haproxy/certs

And in the redirect itself I have:
acl redirect-friends path_beg /friends
redirect location https://newsite.co.uk/ code 301 set-cookie REDIRECTED if redirect-friends
acl redirect-faq path_beg /faq
redirect location https://newsite.co.uk/frequently-asked-questions code 301 set-cookie REDIRECTED if redirect-faq

The redirects work, and I get to where I want to go, I just don’t see any of the cookies or headers I have set.

What am I doing wrong?

I am running HA-Proxy version 1.6.3 2015/12/25 on Ubuntu 16.04.

Thanks in advance.
Drew

You cannot set a cookie in a redirect, unless you want to jump through a number of hoops (dedicating an empty backend and creating a custom HTTP error containing the redirect and the cookie).

Why don’t you just use the referer on your destination domain?

Thank you for your swift response.

I still seem to have an issue. I don’t seem to get any referer headers after the redirect. This is a slightly massaged output from curl (Mostly removing the many Exipre lines and replacing the URL and IP addresses):
curl -vvvvL https://www.oldsite.co.uk/
* Expire in 0 ms for 6 (transfer 0x559cab3545c0)
* Trying
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x559cab3545c0)
* Connected to www.oldsite.co.uk port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; CN=.oldsite.co.uk
* start date: Apr 2 16:36:01 2018 GMT
* expire date: Apr 2 16:36:01 2020 GMT
* subjectAltName: host “www.oldsite.co.uk” matched cert’s "
.oldsite.co.uk"
* issuer:
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.oldsite.co.uk
> User-Agent: curl/7.64.0
> Accept: /
>
< HTTP/1.1 301 Moved Permanently
< Content-length: 0
< Location: https://www.newsite.co.uk
< Connection: close
<
* Closing connection 0
* Issue another request to this URL: ‘https://www.newsite.co.uk/
* Expire in 1 ms for 1 (transfer 0x559cab3545c0)
* Expire in 50 ms for 1 (transfer 0x559cab3545c0)
* Trying
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x559cab3545c0)
* Connected to www.newsite.co.uk port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=www.newsite.co.uk
* start date: Aug 15 15:41:03 2018 GMT
* expire date: Sep 30 09:41:02 2020 GMT
* subjectAltName: host “www.newsite.co.uk” matched cert’s “www.newsite.co.uk
* issuer:
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.newsite.co.uk
> User-Agent: curl/7.64.0
> Accept: /
>
< HTTP/1.1 200 OK
< Date: Mon, 10 Jun 2019 16:02:56 GMT
< Server: Apache-Coyote/1.1
< P3P: policyref="/w3c/p3p.xml", CP="NOI DPS COR CURa ADMa OUR NOR "
< X-Frame-Options: SAMEORIGIN
< Content-Type: text/html;charset=utf-8
< Content-Language: en-GB
< Set-Cookie: JSESSIONID=99235511898EE5ED4802D4605057F38B; Path=/; HttpOnly
< Set-Cookie: qtest_vdp2=old; Expires=Wed, 10-Jul-2019 16:02:56 GMT; Path=/
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Set-Cookie: VIP1=webserver4; path=/
<

<!DOCTYPE html>
<html lang="en">
<head>

I have looked in the developer tools in Chrome, and I can’t seem to see the referer there either. This was why I started to go down the route of adding a cookie.

As an aside, if you can’t set a cookie in a redirect, why is it an option?

A cookie won’t help you anyway, because the cookie will only be valid for the original site, not the destination site, so it’s useless.

Referer should afaik be there from one HTTPS site to another, but I guess CSP and other things could interfere with that.

Why don’t you point to a specific destination URI, like:

redirect location https://newsite.co.uk/frequently-asked-questions?redirected=YES code 301 if redirect-faq