I have a working NGINX config as a reverse proxy. I'm trying to modify the upstream server's Cookie headers to add samesite=non and secure. According the to docs here: proxy_cookie_flags
it should be easy.
I have this in my location block for my https/443 server:
location / {
add_header Content-Security-Policy "script-src 'self' 'usafe-eval' 'unsafe-inline' https://*.totalvu.live; child-src 'self' https://*.mydomain.live;" always;
proxy_cookie_flags ~ samesite=none secure;
....
}
Unfortunately the Cookie is coming out untouched:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 27 Sep 2022 01:02:21 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 30
Connection: keep-alive
Vary: Accept
Set-Cookie: lila2=cd69d002012f499644b47ff73724f28f63ae01e9-sessionId=pNZihR8tHHkw6p6paafFTj; Max-Age=315360000; Expires=Fri, 24 Sep 2032 01:02:21 GMT; Path=/; Domain=app.mydomain.live; HTTPOnly
Content-Security-Policy: script-src 'self' 'unsafe-inline' https://*.mydomain.live; child-src 'self' https://*.mydomain.live;
I see the GET request in the access log there is nothing special about it. Any idea what is wrong in my config?
