muhammadghazali · June 23, 2016 18:49
diff --git a/app.js b/app.js
 // 1. In your main App, setup up sessions:

 app.enable('trust proxy');
 app.use(express.bodyParser());
 app.use(express.cookieParser());
 app.use(express.session({
   secret: 'Super Secret Password',
   proxy: true,
   key: 'session.sid',
   cookie: {secure: true},
 //NEVER use in-memory store for production - I'm using mongoose/mongodb here
   store: new sessionStore() 
 }));
diff --git a/nginx-ssl.conf b/nginx-ssl.conf
 # 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:

 server {
    listen       443;
    server_name  localhost;
    ssl                  on;
    ssl_certificate      /etc/nginx/nodeapp.crt;
    ssl_certificate_key  /etc/nginx/nodeapp.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
 # THESE ARE IMPORTANT
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 # This is what tells Connect that your session can be considered secure, 
 # even though the protocol node.js sees is only HTTP:        
 proxy_set_header X-Forwarded-Proto $scheme; 
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_read_timeout 5m;
        proxy_connect_timeout 5m;
        proxy_pass http://nodeserver;
        proxy_redirect off;
    }
 }
diff --git a/Secure Sessions Howto b/Secure Sessions Howto
 Secure sessions are easy, but it's not very well documented, so I'm changing that.  
 Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

 The desired configuration for using NginX as an SSL proxy is to offload SSL processing 
 and to put a hardened web server in front of your Node.js application, like:

 [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

 To do this, here's what you need to do:
	// 1. In your main App, setup up sessions:

	app.enable('trust proxy');
	app.use(express.bodyParser());
	app.use(express.cookieParser());
	app.use(express.session({
	secret: 'Super Secret Password',
	proxy: true,
	key: 'session.sid',
	cookie: {secure: true},
	//NEVER use in-memory store for production - I'm using mongoose/mongodb here
	store: new sessionStore()
	}));
	# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:

	server {
	listen 443;
	server_name localhost;
	ssl on;
	ssl_certificate /etc/nginx/nodeapp.crt;
	ssl_certificate_key /etc/nginx/nodeapp.key;
	ssl_session_timeout 5m;
	ssl_protocols SSLv2 SSLv3 TLSv1;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	location / {
	# THESE ARE IMPORTANT
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	# This is what tells Connect that your session can be considered secure,
	# even though the protocol node.js sees is only HTTP:
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $http_host;
	proxy_set_header X-NginX-Proxy true;
	proxy_read_timeout 5m;
	proxy_connect_timeout 5m;
	proxy_pass http://nodeserver;
	proxy_redirect off;
	}
	}
	Secure sessions are easy, but it's not very well documented, so I'm changing that.
	Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

	The desired configuration for using NginX as an SSL proxy is to offload SSL processing
	and to put a hardened web server in front of your Node.js application, like:

	[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

	To do this, here's what you need to do: