Under true
You want to also do
When setting to true, it is important to ensure that the last reverse proxy trusted is removing/overwriting all of the following HTTP headers: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto otherwise it may be possible for the client to provide any value.
as the express notes say to remove those headers. (Which can be done in nginx)
or you’ll need to dig out for what works well when behind a double proxy and determine if the issue is being double proxied or a SSL Schnanigan
Since you might find the problem is
Browser → HTTPS To cloudlfare → cloudflare internal to https nginx → nginx proxy non ssl to node
Where
Browser → HTTPS To cloudlfare → cloudflare internal to non http nginx → nginx proxy non ssl to node
Which seems unlikely.
Also I explicity set these headers in my nginx config:
Copy/paste from production
location / {
proxy_pass OMMITTED
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Not sure if that will cause a difference for you, since I’m not behind cloudflare.