Problem: nginx reverse proxy request to /api does not work due to HttpOnly in cookie

[macau23]

Issue

I have set up a new semaphore installation to replace the old one.

The API calls are failing because the cookie semaphore set in return to an api request has the HttpOnly flag set, even though TLS is used using the recommended nginx reverse proxy configuration.

This is the file that sets the cookie:

semaphore/api/login.go

Line 211 in 9ccad2b

HttpOnly: true,

New cookie file looks like this:

$ cat .new.cookiejar.dat
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_fqdn.example.com        FALSE   /       FALSE   0       semaphore       XXX

Old cookie file looks like this:

$ cat .old.cookiejar.dat
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

fqdn.example.com        FALSE   /       FALSE   0       semaphore       XXX

Impact

Web-Backend (APIs)

Installation method

Package

Database

No response

Browser

No response

Semaphore Version

2.15.0-1e13324-1749881537

Ansible Version

ansible [core 2.16.14]

Logs & errors

1.2.3.4 - - [22/Jul/2025:19:17:14 +0000] "POST /api/auth/login HTTP/2.0" 204 0 "-" "curl/7.76.1"
1.2.3.4 - - [22/Jul/2025:19:17:15 +0000] "GET /api/user/tokens HTTP/2.0" 200 3 "-" "curl/7.76.1"
1.2.3.4 - - [22/Jul/2025:19:17:15 +0000] "POST /api/project/1/tasks HTTP/2.0" 401 0 "-" "curl/7.76.1"

Manual installation - system information

nginx

Configuration

No response

Additional information

No response

[fiftin]

Hi @macau23 it looks like nginx configuration issue.

I just tested nginx + semaphore 2.15.0 with recommended configuration and it works fine.

[macau23]

Not sure if you still need it, but this is the script I used to test:

#!/usr/bin/bash

template_id=1
urlbase=https://dev-semaphore.example.com
cookiejar=.cookiejar.dat

rm -f "$cookiejar"

curl -k \
        -c "$cookiejar" \
        -XPOST \
        -H 'Content-Type: application/json' \
        -H 'Accept: application/json' \
        -d '{"auth": "jenkins", "password": "XXX"}' \
        "$urlbase/api/auth/login"

cat "$cookiejar"
grep HttpOnly .cookiejar.dat

[fiftin]

Ah, looks like I'm got the problem.

For security reasons, Semaphore no longer returns the full token in the /api/user/tokens response.

The full token is visible only at the time of creation.

[macau23]

If I generate the token in the gui and give it to curl it works.

But I cannot log in to semaphore in 2.15 with curl and get a cookie that I can use because it is marked http only, so I cannot generate the token.

i.e.

• Log in to semaphore with curl and get a cookie <--- I am stuck here
• Use the cookie to request a token
• Use the token to request a build

[macau23]

I should probably switch to using access tokens instead. Is there a way of naming them, and seeing which token triggered a job?

[fiftin]

Ah, got it. Yes, you should use API token to make API calls.

Is there a way of naming them, and seeing which token triggered a job

No, but you will see user who owns that token.

[macau23]

It should work though right? If I want to automate the fetching of tokens, the cookie part needs to be working.

Ref: https://docs.semaphoreui.com/administration-guide/api/

[fiftin]

What reason to fetch tokens? Your use case is not very clear to me.

[macau23]

I would like to generate a hundred tokens using the api so that I can use each token on a job by job basis.

[fiftin]

@macau23 got it. I'm sure the cookie-based auth must work with curl any case. I will try understand what the problem is this.