In nginx reverse proxy, how to set the secure flag for cookies?
Solution 1:
You might be able to get your nginx proxy modify the cookies created by the backend and set the secure flag - for inspiration see How to rewrite the domain part of Set-Cookie in a nginx reverse proxy?.
However I'd imagine that getting whatever is creating the cookie on the backend to set the secure flag is going to be a better solution. How you do that is another story (or question :).
Solution 2:
I use the following nginx config code:
# make cookie secure (case sensitive)
proxy_cookie_domain ~(?P<secure_domain>([-0-9a-z]+\.)?[-0-9a-z]+\.[a-z]+)$ "$secure_domain; secure";
Instead of the regex to make this dynamical you can of course use the FQDN.