From f89993e511626f929d35bde6415423144edcddb9 Mon Sep 17 00:00:00 2001
From: Alex Anderson <191496+alxndrsn@users.noreply.github.com>
Date: Tue, 30 Aug 2022 07:38:42 +0300
Subject: [PATCH] nginx.conf: document dev-specific hacks (#622)

Co-authored-by: alxndrsn <alxndrsn>
---
 main.nginx.conf | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/main.nginx.conf b/main.nginx.conf
index 0dfeb10dd..fc2c81d9c 100644
--- a/main.nginx.conf
+++ b/main.nginx.conf
@@ -73,14 +73,27 @@ http {
       proxy_pass http://localhost:8383;
       proxy_redirect off;
 
-      include ./common-headers.nginx.conf;
-      add_header Set-Cookie $session_cookie;
-      proxy_set_header X-Forwarded-Proto https;
-
       # buffer requests, but not responses, so streaming out works.
       proxy_request_buffering on;
       proxy_buffering off;
       proxy_read_timeout 2m;
+
+      # Dev-specific hacks:
+
+      # In conjunction with the map{} definition above, remap
+      # "Set-Cookie: __Host-session=..." to "Set-Cookie: session=..."
+      #
+      #   1. Cookies cannot use the "__Host-" prefix in non-HTTPs requests
+      #      see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes
+      #   2. central-backend cookie parsing is relaxed and will consider the
+      #      first cookie ending in "session" to be the session cookie
+      add_header Set-Cookie $session_cookie;
+      # re-add common headers after add_header call
+      include ./common-headers.nginx.conf;
+
+      # Trick central-backend from thinking connections are coming
+      # over HTTPS so that ExpressJS will set "secure" cookies.
+      proxy_set_header X-Forwarded-Proto https;
     }
 
     location / {