3

I am fairly new to nginx and I am trying to set it up as a reverse proxy server. So far I have apache working as a backend server on 8080 and nginx on port 80.

My website uses a lot of cookies which I have no control on... I am using Expression Engine CMS, and it does not allow me to disable the cookies that I don't want (don't want to mantle with EE core code).

So lets say that a typical hit on my homepage returns cookies A, B and C which I don't use. Sometimes I also have cookies D and E which I need.

I want to set up nginx to hide cookies A, B and C from the response and return cached content only if the request is cookie free or cookies D and E are empty.

Is that possible to set up under nginx?

So far I have this in my config, which ignores any cookies. I just want to ignore or hide certain cookies:

proxy_cache_path /opt/nginx/cache levels=1:2 keys_zone=mycache:20m max_size=1G;
proxy_temp_path /opt/nginx/tmp_cache/;
proxy_hide_headers Expires Cache-Control Set-Cookie;
proxy_cache_use_stale error timeout invalid_header http_502;
proxy_cache_bypass $cookie_nocache;
proxy_no_cache $cookie_nocache;

...

location / {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_cache mycache;
    proxy_cache_valid  200 302  6h;
    proxy_cache_valid  404      1m;
    proxy_pass http://x.x.x.x:8080;
}
Martin Taleski
  • 363
  • 3
  • 5
  • 14
  • Because you are using 'proxy_ignore_headers' on Set-Cookie, you are going to cache responses even if they do have cookies D or E, that may not be what you want. – Allan Jude Dec 30 '12 at 05:25
  • yeah, I need proxy_hide_headers but only on the ones that I want to hide – Martin Taleski Dec 30 '12 at 11:03

1 Answers1

3

Wouldn't it be possible to explicitly set the cookie-headers? So something like:

add_header Set-Cookie "A=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.foo.com
add_header Set-Cookie "B=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.foo.com
add_header Set-Cookie "C=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.foo.com

You could use proxy_set_header with the header name "Cookie" instead of add_header, if it doesn't work. I don't have a development nginx instance running here so I can't test..

Sources:

bartlaarhoven
  • 206
  • 2
  • 7
  • 2
    proxy_set_header sets the headers that are sent to the backend (apache in this case), so that won't do what you want in this case. – Allan Jude Dec 30 '12 at 05:24
  • You're right about that. Edited my response. – bartlaarhoven Dec 30 '12 at 13:41
  • The proposed solution does not work on my setup: the cookie set and delete are being sent in the same header, which apparently causes the browser to effectively set the cookie instead of ignoring or removing it. – fbmd Apr 07 '21 at 16:11