CouchDB 3.5 derives the Set-Cookie Secure flag from the raw mochiweb socket scheme and ignores X-Forwarded-Proto/Ssl for cookie attribution. Behind a TLS-terminating proxy the cookie was emitted without Secure, so browsers dropped the SameSite=None AuthSession cookie on cross-origin requests — POST /_session returned 200 but the next GET /_session showed userCtx.name: null and PouchDB stayed unauthenticated. Add an nginx sidecar that adds Secure via proxy_cookie_flags, route the public domain through it, and make couchdb internal. Also persist same_site=none in couchdb-init so the setting survives container recreation (local.d/ is not in the data volume).
30 lines
1.0 KiB
Plaintext
30 lines
1.0 KiB
Plaintext
server {
|
|
listen 5984;
|
|
server_name _;
|
|
|
|
# PouchDB attachments and _bulk_docs can be large.
|
|
client_max_body_size 256m;
|
|
|
|
# CouchDB's _changes?feed=continuous needs HTTP/1.1, no buffering, long timeouts.
|
|
proxy_http_version 1.1;
|
|
proxy_buffering off;
|
|
proxy_read_timeout 1h;
|
|
|
|
location / {
|
|
proxy_pass http://couchdb:5984;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
|
|
proxy_set_header Connection "";
|
|
|
|
# CouchDB never marks AuthSession cookies Secure behind a TLS-terminating
|
|
# proxy — mochiweb only checks the raw socket scheme, and ignores
|
|
# x_forwarded_proto/x_forwarded_ssl for cookie attribution. Add Secure
|
|
# here so SameSite=None cookies survive cross-origin requests.
|
|
proxy_cookie_flags AuthSession secure;
|
|
}
|
|
}
|