Files
coolcouch/nginx/default.conf
Julien Calixte 2aa10b1711 fix(auth): front CouchDB with nginx to mark AuthSession cookie Secure
CouchDB 3.5 derives the Set-Cookie Secure flag from the raw mochiweb
socket scheme and ignores X-Forwarded-Proto/Ssl for cookie attribution.
Behind a TLS-terminating proxy the cookie was emitted without Secure,
so browsers dropped the SameSite=None AuthSession cookie on cross-origin
requests — POST /_session returned 200 but the next GET /_session showed
userCtx.name: null and PouchDB stayed unauthenticated.

Add an nginx sidecar that adds Secure via proxy_cookie_flags, route the
public domain through it, and make couchdb internal. Also persist
same_site=none in couchdb-init so the setting survives container
recreation (local.d/ is not in the data volume).
2026-06-02 22:05:47 +02:00

30 lines
1.0 KiB
Plaintext

server {
listen 5984;
server_name _;
# PouchDB attachments and _bulk_docs can be large.
client_max_body_size 256m;
# CouchDB's _changes?feed=continuous needs HTTP/1.1, no buffering, long timeouts.
proxy_http_version 1.1;
proxy_buffering off;
proxy_read_timeout 1h;
location / {
proxy_pass http://couchdb:5984;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
proxy_set_header Connection "";
# CouchDB never marks AuthSession cookies Secure behind a TLS-terminating
# proxy — mochiweb only checks the raw socket scheme, and ignores
# x_forwarded_proto/x_forwarded_ssl for cookie attribution. Add Secure
# here so SameSite=None cookies survive cross-origin requests.
proxy_cookie_flags AuthSession secure;
}
}