Completely understand and thank you for your reply!
Just wanted to give an update as I think I got it working for the most part! The issue was a weird mix of cached cookies from prior sessions and with cookies needing to be massaged similar to your older post regarding secure cookies. That helped a lot thanks!
Let me walk through what I did. First I changed my Caddyfile to the JSON format since I wasn’t able to figure out the proper regex syntax to get the same substring functionality working with cookie replacements.
Here is my config:
{
"apps": {
"http": {
"servers": {
"windows-admin-center": {
"listen": [
":80"
],
"routes": [
{
"handle": [
{
"handler": "reverse_proxy",
"transport": {
"protocol": "http_ntlm",
"tls": {
"insecure_skip_verify": true
}
},
"headers": {
"response": {
"replace": {
"Set-Cookie": [
{
"search": "secure;",
"replace": ""
},
{
"search": "SameSite=None",
"replace": "SameSite=Lax"
}
]
},
"set": {
"Content-Security-Policy": [
"frame-ancestors *"
]
}
}
},
"upstreams": [
{
"dial": "192.168.1.20:9083"
}
]
}
]
}
]
}
}
}
}
}
What I had to do was to remove the secure; bit from Set-Cookie like you had suggested in your post first.
Then I realized that the browser would still complain about SameSite so I changed the cookie to Lax there.
After that the page would still not load claiming the cookie was secure so it can’t change it and what not, and I read that browsers commonly like to use cached cookies. I went ahead and cleared out all the cookies and then it started to load as expected!
I had a few questions I wanted to ask as well as I’ve been working through this.
-
You’ll notice that I have another cookie set to relax the rules for
Content-Security-Policy. I did that so that I could enable iframe access to the proxied page, since my goal was to have Windows Admin Center show up in my Home Assistant Dashboard. It shows up now with that cookie set, but WAC first shows a website saying that aPotential Security Issue Detected. Luckily it does let me continue and it loads as expected, but I don’t suppose there’s anything further I can do in the proxy layer to avoid that message showing up? -
I haven’t looked into how to do this yet, but it would be awesome if I could store the credentials for NTLM within the reverse proxy layer so that I would not need to input them every time the cookies expire. Would you have any guidance on how to do that?
Thanks a lot for all your help!