Skip to content

Instantly share code, notes, and snippets.

Forked from nikmartin/A: Secure Sessions Howto
Created February 23, 2016 21:39
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save twogood/480e64255064c597b0ec to your computer and use it in GitHub Desktop.
Secure sessions with Node.js, Connect, and Nginx as an SSL Proxy
// 1. In your main App, setup up sessions:
app.enable('trust proxy');
secret: 'Super Secret Password',
proxy: true,
key: 'session.sid',
cookie: {secure: true},
//NEVER use in-memory store for production - I'm using mongoose/mongodb here
store: new sessionStore()
# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/nodeapp.crt;
ssl_certificate_key /etc/nginx/nodeapp.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://nodeserver;
proxy_redirect off;
Secure sessions are easy, but it's not very well documented, so I'm changing that.
Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:
The desired configuration for using NginX as an SSL proxy is to offload SSL processing
and to put a hardened web server in front of your Node.js application, like:
[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]
To do this, here's what you need to do:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment