search

NeusoftSecurity / SEnginx

Security-Enhanced nginx by Neusoft corporation.
www.senginx.org
BSD 2-Clause "Simplified" License
182 stars 68 forks source link

Cookie value on cluster configuration #32

Closed valintinr closed 9 years ago

valintinr commented 9 years ago

Hello. We currently using senginx with HTTP Robot Mitigation on second cluster (4 servers). Our first cluster using perl Roboo on 5 server. Load balancing via BGP (yes, Its a dummy balancing w/o session support but its working and easy to use) so one request (ex /) can be routed via 3-4-5 servers (ex / via 1-st server, some images via 2-nd server, some css/js via 3-rd server...).

robot_mitigation_secret static and same on each server. So now we have next issue: After rechallenge client getting different cookie value, but it can be rechallenged not at all cluster servers. Ex. - clear cache and cookie value changed (robot_mitigation_secret static).

On first cluster with perl Roboo this not happens, after rechallenge (clear cache, timeout...) cookie value is same until secret changed, using Roboo_secret static too.

InfoHunter commented 9 years ago

What is your value of 'robot_mitigation_timeout' ?

On 10/30/2014 06:08 PM, valintinr wrote:

Hello. We currently using senginx with HTTP Robot Mitigation on second cluster (4 servers). Our first cluster using perl Roboo on 5 server. Load balancing via BGP (yes, Its a dummy balancing w/o session support but its working and easy to use) so one request (ex /) can be routed via 3-4-5 servers (ex / via 1-st server, some images via 2-nd server, some css/js via 3-rd server...).

robot_mitigation_secret static and same on each server. So now we have next issue: After rechallenge client getting different cookie value, but it can be rechallenged not at all cluster servers. Ex. - clear cache and cookie value changed (robot_mitigation_secret static).

On first cluster with perl Roboo this not happens, after rechallenge (clear cache, timeout...) cookie value is same until secret changed, using Roboo_secret static too.

— Reply to this email directly or view it on GitHub https://github.com/NeusoftSecurity/SEnginx/issues/32.

valintinr commented 9 years ago

robot_mitigation_timeout 3600;

BTW, I can provide 2 domains so you can reproduce this: first domain configured on first cluster with perl Roboo second domain configured on second cluster with robot_mitigation

InfoHunter commented 9 years ago

Good, what are the 2 domains?

InfoHunter commented 9 years ago

You can write me an email to tell me the domains if you don't want to expose them to the public. Thanks

valintinr commented 9 years ago

Sorry, didn't saw 2 previous messages. Send domain names via email.

You can check cookie value (TANGRAM-DDOS-FILTER). If you clean cookies on browser: 1-st domain - cookie value after rechallange will be same 2-nd domain - cookie value after rechallange will be changed. > its caused issues. Ex admin page etc...

All cluster servers have same static secret.

valintinr commented 9 years ago

Seems issue didn't happening again, closing this issue