Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SSL load balancer + secure cookies means lots of requests 500 error

See original GitHub issue

I’m running a Koa app behind a load balancer that terminates SSL. I set app.proxy to true, and have these lines to enable secure session cookies:

const session = require('koa-session');
app.proxy = true;
app.use(session({secure: true}))

When the load balancer terminates SSL and sends through X-Forwarded-Proto: https requests, everything works fine and a secure cookie gets set.

However, any request without a X-Forwarded-Proto: https header generates the following stack trace:

Error: Cannot send secure cookie over unencrypted connection
    at Cookies.set (/Users/kevin/src/github.com/bigco/website/node_modules/koa/node_modules/cookies/lib/cookies.js:86:11)
    at Session.save (/Users/kevin/src/github.com/bigco/website/node_modules/koa-session/index.js:296:15)
    at commit (/Users/kevin/src/github.com/bigco/website/node_modules/koa-session/index.js:163:10)
    at Object.session (/Users/kevin/src/github.com/bigco/website/node_modules/koa-session/index.js:120:7)
    at session.next (<anonymous>)
    at Object.bodyParser (/Users/kevin/src/github.com/bigco/website/node_modules/koa-bodyparser/index.js:68:12)
    at bodyParser.next (<anonymous>)
    at onFulfilled (/Users/kevin/src/github.com/bigco/website/node_modules/koa/node_modules/co/index.js:65:19)
    at process._tickDomainCallback (internal/process/next_tick.js:135:7)

The offending code is here, in the cookies library:

    , secure = this.secure !== undefined ? !!this.secure : req.protocol === 'https' || req.connection.encrypted
    , cookie = new Cookie(name, value, opts)
    , signed = opts && opts.signed !== undefined ? opts.signed : !!this.keys

  if (typeof headers == "string") headers = [headers]

  if (!secure && opts && opts.secure) {
    throw new Error('Cannot send secure cookie over unencrypted connection')
  }

A response is that I should be performing http redirects at the load balancer layer and my Node app shouldn’t handle http requests. Of course.

But there are a variety of reasons I might send requests without that header:

my Node app needs to do custom logic to decide how to redirect HTTP requests to HTTPS
the load balancer sends health checks and I can’t configure the headers it sends, also it is not forwarding them for a health check
automated tooling makes requests directly to an app host (say, a stats or expvar server)

Basically it doesn’t seem like setting a secure cookie in an insecure environment should be an error, and it’s confusing that every request has to set X-Forwarded-Proto: https even when it’s not forwarding the request from anywhere else.

Alternatively, koa could just decide to not set a session cookie if there’s no X-Forwarded-Proto: https header, or catch this error from the cookies library and handle it appropriately. But it doesn’t seem very easy to handle in my own codebase.

Let me know if this is better to be reported against the cookies library. I think this is the right place for it, though.

Issue Analytics

State:
Created 6 years ago
Comments:17 (3 by maintainers)

Top GitHub Comments

8reactions

twelve17commented, Jun 4, 2018

I’m running into the same issue as @kevinburke . In short, I have an app that is in the following infra:

browser (https/443) -> AWS ALB (load balancer) -> Web App (http/80) with Proxy Middleware -> ALS ALB 2 (http/80) -> Web App 2.

I’m not in control of the infrastructure, but I know that the incoming request will be secure, so I want to force koa to send secure cookies.

To be fair, it’s possible I’m running into this because ALBs may not chain X-Forwarded-* headers correctly, but nevertheless, it would be helpful to have an option to override the cookie setting in koa.

I adapted @kevinburke 's middleware for koa 2:

   app.use((ctx, next) => {
      ctx.cookies.secure = true;
      return next();
    });

8reactions

kevinburkecommented, Apr 28, 2017

Previously, previously, previously, previously, previously, previously.

Top Results From Across the Web

Troubleshoot your Application Load Balancers

HTTP 500: Internal server error ... Possible causes: ... The load balancer is unable to communicate with the IdP token endpoint or the...

Troubleshoot External HTTP(S) Load Balancing - Google Cloud

The load balancer generates an HTTP 5XX response code when the connection to the backend has unexpectedly closed while sending the HTTP request...

Receive Error 500: java.lang.NullPointerException when ... - IBM

1) Ensure the proper SSL certificates are imported and installed on all available servers such as application servers, load balancers, or http ...

500 Internal Server Error - Backend Server | Apigee Edge

The HTTP status code 500 is a generic error response. It means that the server encountered an unexpected condition that prevented it from...

Avoiding the Top 10 NGINX Configuration Mistakes

Note also that when you specify a load‑balancing algorithm in the ... NGINX returns the 430 (Request Header Fields Too Large) error, ...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

SSL load balancer + secure cookies means lots of requests 500 error

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

Empty response if result is null

How to create https server and support wss use koa2? I need it very much.