how to set req.connection.proxySecure in node.js/connect application behind stunnel

Question

we have a node.js/express application sitting behind stunnel for ssl termination. I cannot figure out how to force secure session cookies. looking at the session middleware source:

    // only send secure session cookies when there is a secure connection.
    // proxySecure is a custom attribute to allow for a reverse proxy
    // to handle SSL connections and to communicate to connect over HTTP that
    // the incoming connection is secure.
    var secured = cookie.secure && (req.connection.encrypted || req.connection.proxySecure);
    if (secured || !cookie.secure) {
      res.setHeader('Set-Cookie', cookie.serialize(key, req.sessionID));
    }

I apparently have to set req.connection.proxySecure to true, but I don't know how to do that. It appears stunnel is supposed to communicate this "over HTTP", but stunnel can't set headers. So I am at a loss. Should I instead try to set it locally by a custom bit of middleware before the session middleware, or in a connect config variable somewhere?

Thanks for any help

Answer 1

Ensure the proxy is setting the X-Forwarded-Proto: https header. You must then to add the proxy:true config param to the session middleware.