Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Secure sessions with Node.js, Connect, and Nginx as an SSL Proxy
// 1. In your main App, setup up sessions:
app.enable('trust proxy');
app.use(express.bodyParser());
app.use(express.cookieParser());
app.use(express.session({
secret: 'Super Secret Password',
proxy: true,
key: 'session.sid',
cookie: {secure: true},
//NEVER use in-memory store for production - I'm using mongoose/mongodb here
store: new sessionStore()
}));
# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/nodeapp.crt;
ssl_certificate_key /etc/nginx/nodeapp.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# THESE ARE IMPORTANT
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://nodeserver;
proxy_redirect off;
}
}
Secure sessions are easy, but it's not very well documented, so I'm changing that.
Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:
The desired configuration for using NginX as an SSL proxy is to offload SSL processing
and to put a hardened web server in front of your Node.js application, like:
[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]
To do this, here's what you need to do:

You're a life saver!

This just made my day!

👍

tiblu commented Jun 3, 2015

Thanks for sharing!

twogood commented Feb 23, 2016

Thanks a bunch! I had everything correct except proxy_redirect off; (I had proxy_redirect default) and that didn't work for my Google OAuth2 login!

Thank you for this recipe! In my case proxy_set_header X-Forwarded-Proto $scheme; was absent.

stlyz3 commented May 3, 2016

An absolute godsend! Thanks very much!

omidfi commented Jul 31, 2016

I was bitten by lack of this as well: proxy_set_header X-Forwarded-Proto $scheme;

ralphv commented Dec 2, 2016 edited

for AWS elastic load balancer offloading the SSL, I had to change the $scheme to explicitly say 'https', because even at the nginx level, the scheme was still http.

I have followed the same above method still getting "failed: Error during WebSocket handshake: Unexpected response code: 301". Also using socket io redis for multi processors. Any idea how to fix this issue?

Hi Guys!

Good morning/evening/night for all.

First, thank you, you have assisted to me to make a correct configuration to attend https request. But seeing this, me a small doubt arises, where is the nginx-ssl.conf configuration file?

Thx for all!

Thanks!!

Thanks a million! 🙏

Let me add another THANK YOU!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment