fix(auth): front CouchDB with nginx to mark AuthSession cookie Secure
CouchDB 3.5 derives the Set-Cookie Secure flag from the raw mochiweb socket scheme and ignores X-Forwarded-Proto/Ssl for cookie attribution. Behind a TLS-terminating proxy the cookie was emitted without Secure, so browsers dropped the SameSite=None AuthSession cookie on cross-origin requests — POST /_session returned 200 but the next GET /_session showed userCtx.name: null and PouchDB stayed unauthenticated. Add an nginx sidecar that adds Secure via proxy_cookie_flags, route the public domain through it, and make couchdb internal. Also persist same_site=none in couchdb-init so the setting survives container recreation (local.d/ is not in the data volume).
This commit is contained in:
29
nginx/default.conf
Normal file
29
nginx/default.conf
Normal file
@@ -0,0 +1,29 @@
|
||||
server {
|
||||
listen 5984;
|
||||
server_name _;
|
||||
|
||||
# PouchDB attachments and _bulk_docs can be large.
|
||||
client_max_body_size 256m;
|
||||
|
||||
# CouchDB's _changes?feed=continuous needs HTTP/1.1, no buffering, long timeouts.
|
||||
proxy_http_version 1.1;
|
||||
proxy_buffering off;
|
||||
proxy_read_timeout 1h;
|
||||
|
||||
location / {
|
||||
proxy_pass http://couchdb:5984;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
|
||||
proxy_set_header Connection "";
|
||||
|
||||
# CouchDB never marks AuthSession cookies Secure behind a TLS-terminating
|
||||
# proxy — mochiweb only checks the raw socket scheme, and ignores
|
||||
# x_forwarded_proto/x_forwarded_ssl for cookie attribution. Add Secure
|
||||
# here so SameSite=None cookies survive cross-origin requests.
|
||||
proxy_cookie_flags AuthSession secure;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user