hey folks I m trying to set a secure flag to my cookies and kotlinlang #ktor

hey folks! I’m trying to set a secure flag to my c...

adeln

10/16/2019, 11:40 AM

hey folks! I’m trying to set a secure flag to my cookies, and I’m getting

Copy code

java.lang.IllegalArgumentException: You should set secure cookie only via secure transport (HTTPS)

I’m running ktor on http, and proxying it through http/2 nginx. Is there a way to solve this?

Jonathan Mew

10/16/2019, 11:47 AM

Do you use HTTPS to connect to nginx? The test that ktor uses is

call.request.origin.scheme == "https"

adeln

10/16/2019, 11:49 AM

but I don’t want TLS on 127.0.0.1 🙂 And I don’t know if that’s even possible

adeln

10/16/2019, 11:50 AM

my application.conf:

Copy code

ktor {
    application {
        modules = [ adeln.MainKt.module ]
    }
    deployment {
        host = "127.0.0.1"
        port = 8080
    }
}

Jonathan Mew

10/16/2019, 11:51 AM

We have TLS set up - we use a *.localhost.com address on Chrome and set up a tls cert with https://github.com/FiloSottile/mkcert

adeln

10/16/2019, 11:52 AM

are there any other benefits other than setting the secure cookie flag?

Jonathan Mew

10/16/2019, 11:55 AM

I can't remember what gets treated differently by the browser - we set it up a long time ago now, sorry! On the whole the more live-like our dev environments, the better 🙂

Jonathan Mew

10/16/2019, 11:56 AM

I feel like we struggled with it for a bit but something did push us to finally iron it out

adeln

10/16/2019, 11:56 AM

out of curiosity (I’m still new to this) do you launch both ktor & nginx on both dev & prod?

Jonathan Mew

10/16/2019, 11:58 AM

On dev we serve from npm start. It's dockerised but we mount in our source to take advantage of hot reloading.

Marc Knaup

10/16/2019, 12:31 PM

It's always good to use SSL locally. As Jonathan said - the closer your dev environment is to the live environment the better. You're more likely to spot issues that are related to SSL usage in this case. Even the additional remote DNS lookup can make a difference.

adeln

10/16/2019, 12:33 PM

wow. I though they were completely unrelated — live has a separate domain, separate cert update schedule and all that

Jonathan Mew

10/16/2019, 12:34 PM

separate domain is GOOD, keep that 🙂

adeln

10/16/2019, 12:35 PM

and since I need nginx anyway to serve some files (PartialContent in ktor is far from perfect), I thought I’m ok with cleartext on 127.0.0.1. Are there any resources to read on this?

Jonathan Mew

10/16/2019, 12:35 PM

and I don't think cert update necessarily should be identical (I guess you might want some more trusted and more expensive cert for prod) though you might benefit from them being the same if you configure/renew through configuration as code, or if it's an option have a staging environment that is more live-like cert-wise

Sergey Akhapkin

10/16/2019, 7:49 PM

@adeln Did you try to use XForwardedHeaderSupport feature for that? https://ktor.io/servers/features/forward-headers.html

adeln

10/27/2019, 9:37 AM

I have not @Sergey Akhapkin , thanks for pointing it out!

90 Views

Open in Slack

Previous Next