Last active
October 30, 2024 20:13
-
-
Save nikmartin/5902176 to your computer and use it in GitHub Desktop.
Secure sessions with Node.js, Express.js, and NginX as an SSL Proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Secure sessions are easy, but not very well documented. | |
Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy: | |
The desired configuration for using NginX as an SSL proxy is to offload SSL processing | |
and to put a hardened web server in front of your Node.js application, like: | |
[NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [PUBLIC INTERNET] <-> [CLIENT] | |
Edit for express 4.X and >: Express no longer uses Connect as its middleware framework, it implements its own now. | |
To do this, here's what you need to do: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// 1. In your main App, setup up sessions: | |
app.enable('trust proxy'); | |
app.use(express.bodyParser()); | |
app.use(express.cookieParser()); | |
app.use(express.session({ | |
secret: 'Super Secret Password', | |
proxy: true, | |
key: 'session.sid', | |
cookie: {secure: true}, | |
//NEVER use in-memory store for production - I'm using mongoose/mongodb here | |
store: new sessionStore() | |
})); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions: | |
server { | |
listen 443; | |
server_name localhost; | |
ssl on; | |
ssl_certificate /etc/nginx/nodeapp.crt; | |
ssl_certificate_key /etc/nginx/nodeapp.key; | |
ssl_session_timeout 5m; | |
ssl_protocols SSLv2 SSLv3 TLSv1; | |
ssl_ciphers HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
location / { | |
# THESE ARE IMPORTANT | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# This is what tells Connect that your session can be considered secure, | |
# even though the protocol node.js sees is only HTTP: | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_read_timeout 5m; | |
proxy_connect_timeout 5m; | |
proxy_pass http://nodeserver; | |
proxy_redirect off; | |
} | |
} |
Awesome, you're my hero I'll fight for you.
thank you very much! you save my project deadline!
Thank you, my good sir! Another deadline saved. May I too have as much good karma as you do.
Thank you boss !!! 🙌✨
Thank you!
this is great. it worked for me. i had to ensure that the nginx order of proxy headers was in line with your post. the headers needed to be above the proxy_pass pointer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many thanks