How do I prevent nginx from stripping secure cookies?

Question

We're setting the secure flag on our cookies and nginx is refusing to transmit them because we're communicating with it over HTTP.

This is perfectly understandable, as that is the expected behavior. However, in front of nginx, we run a Classic Load Balancer (previously known as the Elastic Load Balancer) which accepts HTTPS traffic from the internet and talks to nginx on our internal network via HTTP.

So, is there a way to tell nginx not to strip the cookies, as the connection overall is trusted?

Answer 1

Alright, first of all, when you're debugging a "weird" issue with HTTP cookie based sessions, make sure to check if the appropriate Set-Cookie header is even sent by the server!

When you established that it is not being sent (as I did), you're going to want to set the environment variable DEBUG to *, in case you're running a NodeJS/express application.

If you do so, you might spot the following line in your logs:

cookie-session error saving session Cannot send secure cookie over unencrypted connection

You'll then track that line down to cookie-session and then further down to cookies. Which is when you realize that this all has to do with express not treating the connection as trusted.

So nginx isn't stripping any cookies. In a way, it is to blame though. I found the answer in nginx $scheme variable behind load balancer. To quote the accepted answer:

# Sets a $real_scheme variable whose value is the scheme passed by the load
# balancer in X-Forwarded-Proto (if any), defaulting to $scheme.
# Similar to how the HttpRealIp module treats X-Forwarded-For.
map $http_x_forwarded_proto $real_scheme {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

You would put that into your nginx configuration and then use $real_scheme instead of $scheme for the X-Forwarded-Proto header:

proxy_set_header "X-Forwarded-Proto" $real_scheme;

Answer 2

By default, nginx doesn't do any processing related to secure flag.