Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Secure sessions with Node.js, Connect, and Nginx as an SSL Proxy
// 1. In your main App, setup up sessions:
app.enable('trust proxy');
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.session({
secret: 'Super Secret Password',
proxy: true,
key: 'session.sid',
cookie: {secure: true},
//NEVER use in-memory store for production - I'm using mongoose/mongodb here
store: new sessionStore()
}));
# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/nodeapp.crt;
ssl_certificate_key /etc/nginx/nodeapp.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# THESE ARE IMPORTANT
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://nodeserver;
proxy_redirect off;
}
}
Secure sessions are easy, but it's not very well documented, so I'm changing that.
Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:
The desired configuration for using NginX as an SSL proxy is to offload SSL processing
and to put a hardened web server in front of your Node.js application, like:
[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]
To do this, here's what you need to do:
@chinmay185

This comment has been minimized.

Show comment Hide comment
@chinmay185

chinmay185 Dec 11, 2014

You're a life saver!

You're a life saver!

@th3o6a1d

This comment has been minimized.

Show comment Hide comment
@th3o6a1d

th3o6a1d Apr 14, 2015

This just made my day!

This just made my day!

@winduptoy

This comment has been minimized.

Show comment Hide comment
@winduptoy

winduptoy May 13, 2015

👍

👍

@tiblu

This comment has been minimized.

Show comment Hide comment
@tiblu

tiblu Jun 3, 2015

Thanks for sharing!

tiblu commented Jun 3, 2015

Thanks for sharing!

@twogood

This comment has been minimized.

Show comment Hide comment
@twogood

twogood Feb 23, 2016

Thanks a bunch! I had everything correct except proxy_redirect off; (I had proxy_redirect default) and that didn't work for my Google OAuth2 login!

twogood commented Feb 23, 2016

Thanks a bunch! I had everything correct except proxy_redirect off; (I had proxy_redirect default) and that didn't work for my Google OAuth2 login!

@tsabolov

This comment has been minimized.

Show comment Hide comment
@tsabolov

tsabolov Mar 29, 2016

Thank you for this recipe! In my case proxy_set_header X-Forwarded-Proto $scheme; was absent.

Thank you for this recipe! In my case proxy_set_header X-Forwarded-Proto $scheme; was absent.

@stlyz3

This comment has been minimized.

Show comment Hide comment
@stlyz3

stlyz3 May 3, 2016

An absolute godsend! Thanks very much!

stlyz3 commented May 3, 2016

An absolute godsend! Thanks very much!

@omidfi

This comment has been minimized.

Show comment Hide comment
@omidfi

omidfi Jul 31, 2016

I was bitten by lack of this as well: proxy_set_header X-Forwarded-Proto $scheme;

omidfi commented Jul 31, 2016

I was bitten by lack of this as well: proxy_set_header X-Forwarded-Proto $scheme;

@ralphv

This comment has been minimized.

Show comment Hide comment
@ralphv

ralphv Dec 2, 2016

for AWS elastic load balancer offloading the SSL, I had to change the $scheme to explicitly say 'https', because even at the nginx level, the scheme was still http.

ralphv commented Dec 2, 2016

for AWS elastic load balancer offloading the SSL, I had to change the $scheme to explicitly say 'https', because even at the nginx level, the scheme was still http.

@swapnil001

This comment has been minimized.

Show comment Hide comment
@swapnil001

swapnil001 Jan 15, 2017

I have followed the same above method still getting "failed: Error during WebSocket handshake: Unexpected response code: 301". Also using socket io redis for multi processors. Any idea how to fix this issue?

I have followed the same above method still getting "failed: Error during WebSocket handshake: Unexpected response code: 301". Also using socket io redis for multi processors. Any idea how to fix this issue?

@Luisfermp18

This comment has been minimized.

Show comment Hide comment
@Luisfermp18

Luisfermp18 May 18, 2017

Hi Guys!

Good morning/evening/night for all.

First, thank you, you have assisted to me to make a correct configuration to attend https request. But seeing this, me a small doubt arises, where is the nginx-ssl.conf configuration file?

Thx for all!

Hi Guys!

Good morning/evening/night for all.

First, thank you, you have assisted to me to make a correct configuration to attend https request. But seeing this, me a small doubt arises, where is the nginx-ssl.conf configuration file?

Thx for all!

@mouradhamoud

This comment has been minimized.

Show comment Hide comment
@mouradhamoud

mouradhamoud Jul 24, 2017

Thanks!!

Thanks!!

@pawelrychlik

This comment has been minimized.

Show comment Hide comment
@pawelrychlik

pawelrychlik Aug 26, 2017

Thanks a million! 🙏

Thanks a million! 🙏

@tonyamos

This comment has been minimized.

Show comment Hide comment
@tonyamos

tonyamos Sep 30, 2017

Let me add another THANK YOU!!

Let me add another THANK YOU!!

@labmorales

This comment has been minimized.

Show comment Hide comment
@labmorales

labmorales Jan 30, 2018

👍 Thanks!

👍 Thanks!

@robba86

This comment has been minimized.

Show comment Hide comment
@robba86

robba86 Feb 1, 2018

Awesome, thanks!

robba86 commented Feb 1, 2018

Awesome, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment