Http-proxy-middleware: secure: false does not remove cookies secure -flag

Created on 2 Feb 2018  路  8Comments  路  Source: chimurai/http-proxy-middleware

Expected behavior

when secure: false, cookies secure flag should be automatically removed

Actual behavior

secure flag is not removed

Setup

  • http-proxy-middleware: 0.17.4
  • other relevant modules: webpack-dev-server

proxy middleware configuration

  proxy: {
    '/': {
      target: 'https://mydomain.com',
      secure: false,
      changeOrigin: true,
      hostRewrite: true,
      autoRewrite: true,
      xfwd: true,
      cookieDomainRewrite: '',
    }
  }

There is a workaround for this by removing the secure flag manually like

  proxy: {
    '/': {
      target: 'https://mydomain.com',
      secure: false,
      changeOrigin: true,
      hostRewrite: true,
      autoRewrite: true,
      xfwd: true,
      cookieDomainRewrite: '',
      onProxyRes: proxyResponse => {
        if (proxyResponse.headers['set-cookie']) {
          const cookies = proxyResponse.headers['set-cookie'].map(cookie =>
            cookie.replace(/; secure/gi, '')
          );
          proxyResponse.headers['set-cookie'] = cookies;
        }
      }
    }
  },

but it takes time to figure out that the flag should be removed, and I expected secure:false to setup all this kind of stuff for me.

Most helpful comment

In my opinion... when I set changeOrigin: true, and I'm going from http://localhost:3000 to https://qa.api.com, it should just work..

But I had to dive deep into the http headers and eventually figured out the cookies weren't being set - then I dived deep into cookies and figured it's because the cookies have this secure; flag.

So it's really an implementation detail - maybe there could be an option for patching the cookies - but I'm not sure what to call it - ohBTW_patch_cookies: true - it's really just a messy thing that has to do with http/cookies that developers shouldn't have to think about/be exposed to.

At the end of the day I guess it's as easy as just copy pasting these few lines to remove the secure flag: https://github.com/http-party/node-http-proxy/issues/1165#issuecomment-431025061

All 8 comments

The secure option comes from the http-proxy libary.

Option doesn't apply to cookies, only the secure connection:

secure: true/false, if you want to verify the SSL Certs

There is a feature request on their issue tracker for this: https://github.com/nodejitsu/node-http-proxy/issues/1165

Issue has gone stale; Closing issue.
Feel free to re-open.

thanks! your workaround helps me a lot

Thanks @villesau . This is still a valid issue. I need this work around to proxy from http to https using a common react-create-app configuration. Can you please reopen this issue?

Unfortunately I'm not able to reopen this. It needs to be done by some maintainer, maybe @chimurai ? Although the base issue is in the other library..

Don't think it's wise to modify the behaviour of secure, which is a configuration option of the http-proxy library.

There is a thread for this issue: https://github.com/nodejitsu/node-http-proxy/issues/1165

imho, the ecosystem would benefit more if it is solved there.

I'm open for suggestions.

In my opinion... when I set changeOrigin: true, and I'm going from http://localhost:3000 to https://qa.api.com, it should just work..

But I had to dive deep into the http headers and eventually figured out the cookies weren't being set - then I dived deep into cookies and figured it's because the cookies have this secure; flag.

So it's really an implementation detail - maybe there could be an option for patching the cookies - but I'm not sure what to call it - ohBTW_patch_cookies: true - it's really just a messy thing that has to do with http/cookies that developers shouldn't have to think about/be exposed to.

At the end of the day I guess it's as easy as just copy pasting these few lines to remove the secure flag: https://github.com/http-party/node-http-proxy/issues/1165#issuecomment-431025061

For me, I'm using angular CLI with the proxy options, so the config is a JSON file in the project, providing the workaround function is not doable for me 馃様

Edit: Well, I converted my config to js instead of JSON and that worked 馃コ

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dzz9143 picture dzz9143  路  3Comments

georgyfarniev picture georgyfarniev  路  7Comments

lukaszpochrzest picture lukaszpochrzest  路  3Comments

gajus picture gajus  路  8Comments

ubreddy picture ubreddy  路  5Comments