Skip to content

Instantly share code, notes, and snippets.

@joedooley

joedooley/A: Secure Sessions Howto

Forked from nikmartin/A: Secure Sessions Howto
Created October 29, 2020 00:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save joedooley/51c7ca102b57a61c9385f20efc73b8ae to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save joedooley/51c7ca102b57a61c9385f20efc73b8ae to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @nikmartin nikmartin revised this gist Aug 9, 2020. 3 changed files with 0 additions and 0 deletions.
    0 Secure Sessions Howto → A: Secure Sessions Howto
    View file
    File renamed without changes.
    0 app.js → B: app.js
    View file
    File renamed without changes.
    0 nginx-ssl.conf → C: nginx-ssl.conf
    View file
    File renamed without changes.
  2. @nikmartin nikmartin revised this gist Aug 9, 2020. 1 changed file with 4 additions and 2 deletions.
    6 changes: 4 additions & 2 deletions Secure Sessions Howto
    View file
    Original file line number Diff line number Diff line change
    @@ -1,9 +1,11 @@
    Secure sessions are easy, but it's not very well documented, so I'm changing that.
    Secure sessions are easy, but not very well documented.
    Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing
    and to put a hardened web server in front of your Node.js application, like:

    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]
    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [PUBLIC INTERNET] <-> [CLIENT]

    Edit for express 4.X and >: Express no longer uses Connect as its middleware framework, it implements its own now.

    To do this, here's what you need to do:
  3. @nikmartin nikmartin revised this gist Jul 1, 2013. 2 changed files with 5 additions and 3 deletions.
    3 changes: 2 additions & 1 deletion app.js
    View file
    Original file line number Diff line number Diff line change
    @@ -8,5 +8,6 @@ app.use(express.session({
    proxy: true,
    key: 'session.sid',
    cookie: {secure: true},
    store: new sessionStore() //NEVER use in-memory store for production - I'm using mongoose/mongodb here
    //NEVER use in-memory store for production - I'm using mongoose/mongodb here
    store: new sessionStore()
    }));
    5 changes: 3 additions & 2 deletions nginx-ssl.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -12,10 +12,11 @@ server {
    ssl_prefer_server_ciphers on;

    location / {
    #THESE ARE IMPORTANT
    # THESE ARE IMPORTANT
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #This is what tells Connect that your session can be considered secure, even though the protocol node.js sees is only HTTP:
    # This is what tells Connect that your session can be considered secure,
    # even though the protocol node.js sees is only HTTP:
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
  4. @nikmartin nikmartin revised this gist Jul 1, 2013. 3 changed files with 5 additions and 5 deletions.
    8 changes: 4 additions & 4 deletions Secure Sessions Howto
    View file
    Original file line number Diff line number Diff line change
    @@ -1,9 +1,9 @@
    Secure sessions are easy, but it's not very well documented, so I'm changing that. Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:
    Secure sessions are easy, but it's not very well documented, so I'm changing that.
    Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing and to put a hardened web server in front of your Node.js application, like:
    The desired configuration for using NginX as an SSL proxy is to offload SSL processing
    and to put a hardened web server in front of your Node.js application, like:

    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

    To do this, here's what you need to do:

    1. Configure Connect(Express) to do sessions:
    2 changes: 1 addition & 1 deletion app.js
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    //In your main App, setup up sessions:
    // 1. In your main App, setup up sessions:

    app.enable('trust proxy');
    app.use(express.bodyParser());
    0 nginxssl.conf → nginx-ssl.conf
    View file
    File renamed without changes.
  5. @nikmartin nikmartin revised this gist Jul 1, 2013. 2 changed files with 11 additions and 14 deletions.
    9 changes: 9 additions & 0 deletions Secure Sessions Howto
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,9 @@
    Secure sessions are easy, but it's not very well documented, so I'm changing that. Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing and to put a hardened web server in front of your Node.js application, like:

    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

    To do this, here's what you need to do:

    1. Configure Connect(Express) to do sessions:
    16 changes: 2 additions & 14 deletions gistfile1.txt → nginxssl.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -1,16 +1,4 @@
    Secure sessions are easy, but it's not very well documented, so I'm changing that. Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing and to put a hardened web server in front of your Node.js application, like:

    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

    To do this, here's what you need to do:

    1. Configure Connect(Express) to do sessions:



    2. Configure nginx to do SSL and forward all the requireed headers that COnnect needs to do secure sessions:
    # 2. Configure nginx to do SSL and forward all the required headers that COnnect needs to do secure sessions:

    server {
    listen 443;
    @@ -24,7 +12,7 @@ server {
    ssl_prefer_server_ciphers on;

    location / {
    #THESE ARE IMPORTATNT
    #THESE ARE IMPORTANT
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #This is what tells Connect that your session can be considered secure, even though the protocol node.js sees is only HTTP:
  6. @nikmartin nikmartin revised this gist Jul 1, 2013. 1 changed file with 12 additions and 0 deletions.
    12 changes: 12 additions & 0 deletions app.js
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,12 @@
    //In your main App, setup up sessions:

    app.enable('trust proxy');
    app.use(express.bodyParser());
    app.use(express.cookieParser());
    app.use(express.session({
    secret: 'Super Secret Password',
    proxy: true,
    key: 'session.sid',
    cookie: {secure: true},
    store: new sessionStore() //NEVER use in-memory store for production - I'm using mongoose/mongodb here
    }));
  7. @nikmartin nikmartin revised this gist Jul 1, 2013. 1 changed file with 1 addition and 19 deletions.
    20 changes: 1 addition & 19 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -2,39 +2,23 @@ Secure sessions are easy, but it's not very well documented, so I'm changing tha

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing and to put a hardened web server in front of your Node.js application, like:

    ` [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT] `
    [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT]

    To do this, here's what you need to do:

    1. Configure Connect(Express) to do sessions:

    ```javascript

    app.enable('trust proxy');
    app.use(express.bodyParser());
    app.use(express.cookieParser());
    app.use(express.session({
    secret: 'Super Secret Password',
    proxy: true,
    key: 'session.sid',
    cookie: {secure: true},
    store: new sessionStore() //NEVER use in-memory store for production - I'm using mongoose/mongodb here
    }));
    ```

    2. Configure nginx to do SSL and forward all the requireed headers that COnnect needs to do secure sessions:

    ```
    server {
    listen 443;
    server_name localhost;

    ssl on;
    ssl_certificate /etc/nginx/nodeapp.crt;
    ssl_certificate_key /etc/nginx/nodeapp.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    @@ -53,5 +37,3 @@ proxy_set_header X-Forwarded-Proto $scheme;
    proxy_redirect off;
    }
    }

    ```
  8. @nikmartin nikmartin created this gist Jul 1, 2013.
    57 changes: 57 additions & 0 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,57 @@
    Secure sessions are easy, but it's not very well documented, so I'm changing that. Here's a recipe for secure sessions in Node.js when NginX is used as an SSL proxy:

    The desired configuration for using NginX as an SSL proxy is to offload SSL processing and to put a hardened web server in front of your Node.js application, like:

    ` [NODE.JS APP] <- HTTP -> [NginX] <- HTTPS -> [CLIENT] `

    To do this, here's what you need to do:

    1. Configure Connect(Express) to do sessions:

    ```javascript

    app.enable('trust proxy');
    app.use(express.bodyParser());
    app.use(express.cookieParser());
    app.use(express.session({
    secret: 'Super Secret Password',
    proxy: true,
    key: 'session.sid',
    cookie: {secure: true},
    store: new sessionStore() //NEVER use in-memory store for production - I'm using mongoose/mongodb here
    }));
    ```

    2. Configure nginx to do SSL and forward all the requireed headers that COnnect needs to do secure sessions:

    ```
    server {
    listen 443;
    server_name localhost;

    ssl on;
    ssl_certificate /etc/nginx/nodeapp.crt;
    ssl_certificate_key /etc/nginx/nodeapp.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
    #THESE ARE IMPORTATNT
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #This is what tells Connect that your session can be considered secure, even though the protocol node.js sees is only HTTP:
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_read_timeout 5m;
    proxy_connect_timeout 5m;
    proxy_pass http://nodeserver;
    proxy_redirect off;
    }
    }

    ```