New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure cookie is secure even if NodeBB does not handle the SSL certificate #4734

Closed
julianlam opened this Issue Jun 7, 2016 · 8 comments

Comments

Projects
None yet
5 participants
@julianlam
Copy link
Member

julianlam commented Jun 7, 2016

As per @BenLubar's suggestion, the commit 08cdfd2 introduces a one-character fix that now means sites will now require its express session cookie to be https only.

If you are terminating SSL via nginx, you will need to add the following to your nginx configuration:

proxy_set_header X-Forwarded-Proto $scheme;

If you are not using SSL, adding that line should have no adverse effects.

@julianlam julianlam added this to the 1.1.0 milestone Jun 7, 2016

@julianlam julianlam self-assigned this Jun 7, 2016

@julianlam

This comment has been minimized.

Copy link
Member

julianlam commented Jun 7, 2016

Closed via 08cdfd2

@sohpingting

This comment has been minimized.

Copy link

sohpingting commented Jul 19, 2016

I'm using a hosted solution with nodeBB. I can't add this fix =( @julianlam what can I do?

@julianlam

This comment has been minimized.

Copy link
Member

julianlam commented Jul 19, 2016

Hi there, your instance should already have this fix applied. Are you seeing this issue on your forum?

@sohpingting

This comment has been minimized.

Copy link

sohpingting commented Jul 26, 2016

I guess not. Thank you @julianlam

@codecowboy

This comment has been minimized.

Copy link

codecowboy commented Jul 26, 2016

I am seeing this issue with Apache 2.4.x. Switching webservers is not really a practical option for me at the moment. Please can you advise how to set this header in Apache?

@jarey

This comment has been minimized.

Copy link

jarey commented Jul 26, 2016

@codecowboy seems like it could be something like:
RequestHeader set X-Forwarded-Proto "https"
in your virtualhost config block.
source: http://stackoverflow.com/questions/18935448/https-scheme-lost-in-apache-proxy-scenario-upon-redirect-from-gitlab

Please try and let know if that works for you.

@codecowboy

This comment has been minimized.

Copy link

codecowboy commented Jul 26, 2016

@jarey I dont actually have SSL set up at the moment? I'm not sure if that would make a difference? I get this if I try to add that line

Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
@antoinerousseau

This comment has been minimized.

Copy link

antoinerousseau commented Mar 6, 2017

If you access your forum through HTTPS but your server handles internally as HTTP, e.g. if you use services like CloudFlare, the $scheme nginx will be passing is http when you want https. In this case, simply force it like this:

proxy_set_header X-Forwarded-Proto https;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment