{"id":406,"date":"2014-02-07T11:44:51","date_gmt":"2014-02-07T11:44:51","guid":{"rendered":"https:\/\/gosqeng.test\/?p=406"},"modified":"2019-11-28T12:21:20","modified_gmt":"2019-11-28T12:21:20","slug":"secure-sessions-http-proxy","status":"publish","type":"post","link":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy","title":{"rendered":"Using secure sessions behind an HTTP proxy"},"content":{"rendered":"<p>GoSquared is served entirely via HTTPS, so it was a logical and easy decision to modify our user sessions to use secure cookies. A couple of lines of configuration later, and we were good to go.<\/p>\n<p>Not quite.<\/p>\n<p>We use Node.js extensively, and <a href=\"http:\/\/www.senchalabs.org\/connect\/session.html\" target=\"_blank\" rel=\"noopener noreferrer\">Connect.session<\/a>, which is used by Express, will refuse to set secure cookies when the connection isn&#8217;t encrypted (req.connection.encrypted) unless the option of <code>proxy<\/code> is set to true and the <code>x-forwarded-proto<\/code> is <code>https<\/code>. This is not the case with standard secure cookies, but it&#8217;s been coded into Connect probably for security reasons.<\/p>\n<h2>Why does this matter? Isn&#8217;t everything is served via https anyway?<\/h2>\n<p>Of course, but everything is also served via an ELB which proxies to our nginx cluster, which in turn proxies to our apps servers via internal http connections. The fix is trivial as it&#8217;s easy to set\/modify headers in nginx, making the header validation in Connect quite pointless &#8211; <code>proxy_set_header x-forwarded-proto https;<\/code>.<\/p>\n<p>In completely unrelated news, sessions on GoSquared now use secure + httponly cookies!<\/p>\n<p>PS. remember to add <code>proxy_set_header Host $host;<\/code> too if you need the host header to be forwarded too, it appears to get lost otherwise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GoSquared is served entirely via HTTPS, so it was a logical and easy decision to modify our user sessions to&#8230;<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1452],"tags":[],"class_list":["post-406","post","type-post","status-publish","format-standard","hentry","category-engineering"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v18.6 (Yoast SEO v19.0) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Using secure sessions behind an HTTP proxy - GoSquared Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using secure sessions behind an HTTP proxy\" \/>\n<meta property=\"og:description\" content=\"GoSquared is served entirely via HTTPS, so it was a logical and easy decision to modify our user sessions to...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy\" \/>\n<meta property=\"og:site_name\" content=\"GoSquared Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/GoSquared\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-07T11:44:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-11-28T12:21:20+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@simon_tabor\" \/>\n<meta name=\"twitter:site\" content=\"@GoSquared\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simon Tabor\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/#organization\",\"name\":\"GoSquared\",\"url\":\"https:\/\/www.gosquared.com\/blog\/\",\"sameAs\":[\"https:\/\/instagram.com\/gosquaredteam\",\"https:\/\/www.linkedin.com\/company\/go-squared-ltd.\",\"https:\/\/www.facebook.com\/GoSquared\",\"https:\/\/twitter.com\/GoSquared\"],\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.gosquared.com\/blog\/wp-content\/uploads\/2015\/07\/gosquared.png\",\"contentUrl\":\"https:\/\/www.gosquared.com\/blog\/wp-content\/uploads\/2015\/07\/gosquared.png\",\"width\":1270,\"height\":250,\"caption\":\"GoSquared\"},\"image\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/#website\",\"url\":\"https:\/\/www.gosquared.com\/blog\/\",\"name\":\"GoSquared Blog\",\"description\":\"Turn visitors into customers.\",\"publisher\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.gosquared.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage\",\"url\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy\",\"name\":\"Using secure sessions behind an HTTP proxy - GoSquared Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/#website\"},\"datePublished\":\"2014-02-07T11:44:51+00:00\",\"dateModified\":\"2019-11-28T12:21:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.gosquared.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using secure sessions behind an HTTP proxy\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage\"},\"author\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/71fad71f60ad33cf9356687b37aed3d0\"},\"headline\":\"Using secure sessions behind an HTTP proxy\",\"datePublished\":\"2014-02-07T11:44:51+00:00\",\"dateModified\":\"2019-11-28T12:21:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage\"},\"wordCount\":196,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.gosquared.com\/blog\/#organization\"},\"articleSection\":[\"Engineering\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/71fad71f60ad33cf9356687b37aed3d0\",\"name\":\"Simon Tabor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/dc920e48608646bda51d2e6e2595e8ad926cff52eba534c1d25fb1618f15b59f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/dc920e48608646bda51d2e6e2595e8ad926cff52eba534c1d25fb1618f15b59f?s=96&d=mm&r=g\",\"caption\":\"Simon Tabor\"},\"description\":\"Lead developer at GoSquared for integrations, partnerships and the API. Works on pretty much everything.\",\"sameAs\":[\"http:\/\/simontabor.com\",\"https:\/\/twitter.com\/simon_tabor\"],\"url\":\"https:\/\/www.gosquared.com\/blog\/author\/simontabor\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Using secure sessions behind an HTTP proxy - GoSquared Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy","og_locale":"en_US","og_type":"article","og_title":"Using secure sessions behind an HTTP proxy","og_description":"GoSquared is served entirely via HTTPS, so it was a logical and easy decision to modify our user sessions to...","og_url":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy","og_site_name":"GoSquared Blog","article_publisher":"https:\/\/www.facebook.com\/GoSquared","article_published_time":"2014-02-07T11:44:51+00:00","article_modified_time":"2019-11-28T12:21:20+00:00","twitter_card":"summary_large_image","twitter_creator":"@simon_tabor","twitter_site":"@GoSquared","twitter_misc":{"Written by":"Simon Tabor","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.gosquared.com\/blog\/#organization","name":"GoSquared","url":"https:\/\/www.gosquared.com\/blog\/","sameAs":["https:\/\/instagram.com\/gosquaredteam","https:\/\/www.linkedin.com\/company\/go-squared-ltd.","https:\/\/www.facebook.com\/GoSquared","https:\/\/twitter.com\/GoSquared"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.gosquared.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.gosquared.com\/blog\/wp-content\/uploads\/2015\/07\/gosquared.png","contentUrl":"https:\/\/www.gosquared.com\/blog\/wp-content\/uploads\/2015\/07\/gosquared.png","width":1270,"height":250,"caption":"GoSquared"},"image":{"@id":"https:\/\/www.gosquared.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"WebSite","@id":"https:\/\/www.gosquared.com\/blog\/#website","url":"https:\/\/www.gosquared.com\/blog\/","name":"GoSquared Blog","description":"Turn visitors into customers.","publisher":{"@id":"https:\/\/www.gosquared.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.gosquared.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage","url":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy","name":"Using secure sessions behind an HTTP proxy - GoSquared Blog","isPartOf":{"@id":"https:\/\/www.gosquared.com\/blog\/#website"},"datePublished":"2014-02-07T11:44:51+00:00","dateModified":"2019-11-28T12:21:20+00:00","breadcrumb":{"@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.gosquared.com\/blog"},{"@type":"ListItem","position":2,"name":"Using secure sessions behind an HTTP proxy"}]},{"@type":"Article","@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#article","isPartOf":{"@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage"},"author":{"@id":"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/71fad71f60ad33cf9356687b37aed3d0"},"headline":"Using secure sessions behind an HTTP proxy","datePublished":"2014-02-07T11:44:51+00:00","dateModified":"2019-11-28T12:21:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#webpage"},"wordCount":196,"commentCount":0,"publisher":{"@id":"https:\/\/www.gosquared.com\/blog\/#organization"},"articleSection":["Engineering"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.gosquared.com\/blog\/secure-sessions-http-proxy#respond"]}]},{"@type":"Person","@id":"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/71fad71f60ad33cf9356687b37aed3d0","name":"Simon Tabor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.gosquared.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/dc920e48608646bda51d2e6e2595e8ad926cff52eba534c1d25fb1618f15b59f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dc920e48608646bda51d2e6e2595e8ad926cff52eba534c1d25fb1618f15b59f?s=96&d=mm&r=g","caption":"Simon Tabor"},"description":"Lead developer at GoSquared for integrations, partnerships and the API. Works on pretty much everything.","sameAs":["http:\/\/simontabor.com","https:\/\/twitter.com\/simon_tabor"],"url":"https:\/\/www.gosquared.com\/blog\/author\/simontabor"}]}},"wps_subtitle":"Making things more secure","_links":{"self":[{"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/posts\/406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/comments?post=406"}],"version-history":[{"count":0,"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/posts\/406\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/media?parent=406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/categories?post=406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gosquared.com\/blog\/wp-json\/wp\/v2\/tags?post=406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}