Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure sessions with Node.js, Connect, and Nginx as an SSL Proxy
// 1. In your main App, setup up sessions:
app.enable('trust proxy');
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.session({
secret: 'Super Secret Password',
proxy: true,
key: 'session.sid',
cookie: {secure: true},
//NEVER use in-memory store for production - I'm using mongoose/mongodb here
store: new sessionStore()
}));
# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/nodeapp.crt;
ssl_certificate_key /etc/nginx/nodeapp.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# THESE ARE IMPORTANT
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://nodeserver;
proxy_redirect off;
}
}
Secure sessions are easy, but it's not very well documented, so I'm changing that.
Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:
The desired configuration for using NginX as an SSL proxy is to offload SSL processing
and to put a hardened web server in front of your Node.js application, like:
[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]
To do this, here's what you need to do:
@chinmay185

This comment has been minimized.

Show comment
Hide comment
@chinmay185

chinmay185 Dec 11, 2014

You're a life saver!

chinmay185 commented Dec 11, 2014

You're a life saver!

@th3o6a1d

This comment has been minimized.

Show comment
Hide comment
@th3o6a1d

th3o6a1d Apr 14, 2015

This just made my day!

th3o6a1d commented Apr 14, 2015

This just made my day!

@winduptoy

This comment has been minimized.

Show comment
Hide comment
@winduptoy

winduptoy commented May 13, 2015

👍

@tiblu

This comment has been minimized.

Show comment
Hide comment
@tiblu

tiblu Jun 3, 2015

Thanks for sharing!

tiblu commented Jun 3, 2015

Thanks for sharing!

@twogood

This comment has been minimized.

Show comment
Hide comment
@twogood

twogood Feb 23, 2016

Thanks a bunch! I had everything correct except proxy_redirect off; (I had proxy_redirect default) and that didn't work for my Google OAuth2 login!

twogood commented Feb 23, 2016

Thanks a bunch! I had everything correct except proxy_redirect off; (I had proxy_redirect default) and that didn't work for my Google OAuth2 login!

@tsabolov

This comment has been minimized.

Show comment
Hide comment
@tsabolov

tsabolov Mar 29, 2016

Thank you for this recipe! In my case proxy_set_header X-Forwarded-Proto $scheme; was absent.

tsabolov commented Mar 29, 2016

Thank you for this recipe! In my case proxy_set_header X-Forwarded-Proto $scheme; was absent.

@stlyz3

This comment has been minimized.

Show comment
Hide comment
@stlyz3

stlyz3 May 3, 2016

An absolute godsend! Thanks very much!

stlyz3 commented May 3, 2016

An absolute godsend! Thanks very much!

@albacoretuna

This comment has been minimized.

Show comment
Hide comment
@albacoretuna

albacoretuna Jul 31, 2016

I was bitten by lack of this as well: proxy_set_header X-Forwarded-Proto $scheme;

albacoretuna commented Jul 31, 2016

I was bitten by lack of this as well: proxy_set_header X-Forwarded-Proto $scheme;

@ralphv

This comment has been minimized.

Show comment
Hide comment
@ralphv

ralphv Dec 2, 2016

for AWS elastic load balancer offloading the SSL, I had to change the $scheme to explicitly say 'https', because even at the nginx level, the scheme was still http.

ralphv commented Dec 2, 2016

for AWS elastic load balancer offloading the SSL, I had to change the $scheme to explicitly say 'https', because even at the nginx level, the scheme was still http.

@swapnil001

This comment has been minimized.

Show comment
Hide comment
@swapnil001

swapnil001 Jan 15, 2017

I have followed the same above method still getting "failed: Error during WebSocket handshake: Unexpected response code: 301". Also using socket io redis for multi processors. Any idea how to fix this issue?

swapnil001 commented Jan 15, 2017

I have followed the same above method still getting "failed: Error during WebSocket handshake: Unexpected response code: 301". Also using socket io redis for multi processors. Any idea how to fix this issue?

@Luisfermp18

This comment has been minimized.

Show comment
Hide comment
@Luisfermp18

Luisfermp18 May 18, 2017

Hi Guys!

Good morning/evening/night for all.

First, thank you, you have assisted to me to make a correct configuration to attend https request. But seeing this, me a small doubt arises, where is the nginx-ssl.conf configuration file?

Thx for all!

Luisfermp18 commented May 18, 2017

Hi Guys!

Good morning/evening/night for all.

First, thank you, you have assisted to me to make a correct configuration to attend https request. But seeing this, me a small doubt arises, where is the nginx-ssl.conf configuration file?

Thx for all!

@mouradhamoud

This comment has been minimized.

Show comment
Hide comment
@mouradhamoud

mouradhamoud commented Jul 24, 2017

Thanks!!

@pawelrychlik

This comment has been minimized.

Show comment
Hide comment
@pawelrychlik

pawelrychlik Aug 26, 2017

Thanks a million! 🙏

pawelrychlik commented Aug 26, 2017

Thanks a million! 🙏

@tonyamos

This comment has been minimized.

Show comment
Hide comment
@tonyamos

tonyamos Sep 30, 2017

Let me add another THANK YOU!!

tonyamos commented Sep 30, 2017

Let me add another THANK YOU!!

@labmorales

This comment has been minimized.

Show comment
Hide comment
@labmorales

labmorales Jan 30, 2018

👍 Thanks!

labmorales commented Jan 30, 2018

👍 Thanks!

@robba86

This comment has been minimized.

Show comment
Hide comment
@robba86

robba86 Feb 1, 2018

Awesome, thanks!

robba86 commented Feb 1, 2018

Awesome, thanks!

@anandve

This comment has been minimized.

Show comment
Hide comment
@anandve

anandve commented Sep 25, 2018

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment