One customer discovered the following: The cookie IS NOT flagged as secure (and it should) if: - Route is edge and its insecureEdgeTerminationPolicy is empty. In this situation, it must be flagged as secure as it should be 100% equivalent to setting insecureEdgeTerminationPolicy explicitly to "None". - Route is edge and its insecureEdgeTerminationPolicy is "Redirect". Cookies in this situation must be flagged as secure because, although an HTTP connection is admitted, a redirect is immediately issued. So the cookie is never set by HTTP and it does not make any sense to send the cookie via HTTP if you are going to receive a redirect and you are not going to attack any application instance via HTTP (thus, there is nothing to stick to). While investigating the topic, we found out that the following part of the HAProxy router template was the responsible of this behaviour: {{ if and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "None") }} cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure {{ else }} cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly {{ end }} As we can see, a "Redirect" InsecureEdgeTerminationPolicy is not considered at all and if it is empty, it does not equal to "None" (because it is empty) and falls back to the "else" clause without secure flag. We have custom templates for other reasons, so we replaced that code fragment with: {{ if and (eq $cfg.TLSTermination "edge") (ne $cfg.InsecureEdgeTerminationPolicy "Allow") }} cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure {{ else }} cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly {{ end }} As you can see, now we flag as secure edge routes that do not have a InsecureEdgeTerminationPolicy "Allow" (i.e. They are "Redirect" or "None"/empty) and we do not flag them as secure for routes without TLS and edge routes with InsecureEdgeTerminationPolicy "Allow" (i.e. those expected to forward HTTP traffic to application instances). Note that cookies for "Reencrypt" routes are handled elsewhere in the template. What the customer would like is to confirm that their fixes/improvements in the custom templates are valid and canb be incorporated to the official HAProxy router template.
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
Verified this bug on OCP v3.5.0.18 When creating edge route with --insecure-policy='Redirect' or --insecure-policy='None',the cookie will be added `secure` and if --insecure-policy='Allow' , will no secure.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884