Nginx reverse proxy – remove “Secure” from cookies

cookiesnginxreverse-proxy

For the sake of development I need to make NGINX drop "Secure" flag from cookie headers.

Set-Cookie:XSRF-TOKEN=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzz; Path=/; Secure

should become

Set-Cookie:XSRF-TOKEN=zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzz; Path=/;

For each Set-Cookie header. I am creating a reverse-proxy configuration to decouple development server from the UI and since upstream is running behind HTTPS while NGINX is running on plain HTTP, browser refuses to send cookies back.

Best Answer

Since nginx 1.19.3 you can use http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags. For example:

proxy_cookie_flags some_cookie nosecure;

To remove the Secure flag from all cookies:

proxy_cookie_flags ~ nosecure;

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Nginx – In nginx reverse proxy, how to set the secure flag for cookies

You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.

However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).

Best Answer

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Nginx – In nginx reverse proxy, how to set the secure flag for cookies

Related Topic