I have a apache 2.4.29 with TLS activated to handle static files. Then i have a proxy configured to pass dynamic content to a NodeJS 10.5.0 with:
- ExpressJS 4.16.3
- express-session 1.15.6
- session-file-store 1.2.0
The site.conf in apache that configures the proxy to Node is:
ProxyPreserveHost On
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.0/8
RequestHeader add X-SSL off
ProxyPass "/s" "http://127.0.0.1:3001"
ProxyPassReverse "/s" "http://127.0.0.1:3001"
RewriteRule ^/s/(.*) http://127.0.0.1:3001/$1 [P,L]
ProxyPass "/n" "http://127.0.0.1:3001/n"
ProxyPassReverse "/n" "http://127.0.0.1:3001/n"
RewriteRule ^/n/(.*) http://127.0.0.1:3001/n/$1 [P,L]
The Node/Express is without the TLS configuration. Both are on the same machine. In the server.js i have this code to handle the sessions:
var express = require('express'),
sessao = require('express-session'),
armazenamento_ficheiros = require('session-file-store')(sessao),
app = express();
app.set('trust proxy', 1); // trust first proxy
app.use(sessao({
store: new armazenamento_ficheiros(),
secret: 'teste',
name: 'xxx',
resave: true,
cookie: {secure: false }, //i also tried with true, auto and removing the property
saveUninitialized: true
}));
The problem is that it is appearing a session id JSON file for each client request for a dynamic file, instead of using just one. Also, it appears a cookie id session in the browser with a id that did not appeared in the session id files of Express. I removed and repeated to see it the cookie was created again and now it does not. I am already confused with so many testing.
Can anyone guide me how to solve this correctly? Thank you.
UPDATE I changed the script to:
app.use(sessao({
store: new armazenamento_ficheiros(),
secret: 'teste',
name: 'xxx',
resave: true,
proxy: true,
cookie: {secure: true },
saveUninitialized: true
}));
And now, if i use the URL to access directly to the NodeJS, it works as expected; it creates a cookie with session ID. But it i access via Apache, i can see the set-cookie command in the http header received but the browser does not create the cookie. I suspect that somethins is wrong in the Apache configuration.
So i added: RequestHeader set X-Forwarded-Proto "https"
but the problem remains.
