Hi. When I set a cookie with the secure field as true KTOR throw this exception:

java.lang.IllegalArgumentException: You should set secure cookie only via secure transport (HTTPS)

According to https://github.com/ktorio/ktor/issues/311 I have to use the ForwardedHeader plugin. But this doesn't solve the problem. I've added some logging:

intercept(ApplicationCallPipeline.Monitoring) {
    logger.info("Before ForwardedHeaders: Remote host is  ${call.request.origin.remoteHost}")
    logger.info("Before ForwardedHeaders: Scheme is  ${call.request.origin.scheme}")
    call.request.headers.entries().forEach {
        logger.info("Header: ${it.key} = ${it.value}")
    }
}


intercept(ApplicationCallPipeline.Monitoring) {
    logger.info("After ForwardedHeaders: Remote host is ${call.request.origin.remoteHost}")
    logger.info("After ForwardedHeaders: Scheme is  ${call.request.origin.scheme}")
}

This is the output:

INFO  | Application | Before ForwardedHeaders: Remote host is  10-244-3-72.nginx-ingress-ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local
INFO  | Application | Before ForwardedHeaders: Scheme is  http
INFO  | Application | Header: Host = [app.mydomain.com]
INFO  | Application | Header: X-Request-ID = [xxx]
INFO  | Application | Header: X-Real-IP = [<my ip adres>]
INFO  | Application | Header: X-Forwarded-For = [<my ip adres>, <my ip adres>]
INFO  | Application | Header: X-Forwarded-Host = [app.mydomain.com, app.mydomain.com]
INFO  | Application | Header: X-Forwarded-Port = [443, 443]
INFO  | Application | Header: X-Forwarded-Proto = [https, https]
INFO  | Application | Header: X-Forwarded-Scheme = [https]
INFO  | Application | Header: X-Scheme = [https]
INFO  | Application | Header: upgrade-insecure-requests = [1]
INFO  | Application | Header: dnt = [1]
INFO  | Application | Header: user-agent = [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36]
INFO  | Application | Header: accept = [text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7]
INFO  | Application | Header: sec-fetch-site = [cross-site]
INFO  | Application | Header: sec-fetch-mode = [navigate]
INFO  | Application | Header: sec-fetch-dest = [document]
INFO  | Application | Header: sec-ch-ua = ["Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"]
INFO  | Application | Header: sec-ch-ua-mobile = [?0]
INFO  | Application | Header: sec-ch-ua-platform = ["macOS"]
INFO  | Application | Header: referer = [<https://login.my-authentication-domain.com/>]
INFO  | Application | Header: accept-encoding = [gzip, deflate, br, zstd]
INFO  | Application | Header: accept-language = [nl,en;q=0.9,en-US;q=0.8]

INFO  | Application | After ForwardedHeaders: Remote host is 10-244-3-72.nginx-ingress-ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local
INFO  | Application | After ForwardedHeaders: Scheme is  http
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: sec-fetch-dest = [document]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: sec-ch-ua = ["Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: sec-ch-ua-mobile = [?0]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: sec-ch-ua-platform = ["macOS"]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: referer = [<https://login-test.sensus-processmanagement.com/>]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: accept-encoding = [gzip, deflate, br, zstd]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | Header: accept-language = [nl,en;q=0.9,en-US;q=0.8]
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | After ForwardedHeaders: Remote host is 10-244-3-72.nginx-ingress-ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local
2024-03-21 | 15:48:18.994 | [eventLoopGroupProxy-4-1] | INFO  | Application | After ForwardedHeaders: Scheme is  http

What am I doing wrong?

this requirement was actually removed in 2.3.9, so you might just want to update

Yes that works, thanks! And I also see now what went wrong. The header that Ingress-Nginx uses for forwarded protocol - X-Forwarded-Proto - is missing in the default configuration of the ForwardedHeaders plugin (httpsFlagHeaders).