How do I prevent nginx from stripping secure cookies?

Alright, first of all, when you're debugging a "weird" issue with HTTP cookie based sessions, make sure to check if the appropriate Set-Cookie header is even sent by the server!

When you established that it is not being sent (as I did), you're going to want to set the environment variable DEBUG to *, in case you're running a NodeJS/express application.

If you do so, you might spot the following line in your logs:

cookie-session error saving session Cannot send secure cookie over unencrypted connection

You'll then track that line down to cookie-session and then further down to cookies. Which is when you realize that this all has to do with express not treating the connection as trusted.

So nginx isn't stripping any cookies. In a way, it is to blame though. I found the answer in nginx $scheme variable behind load balancer. To quote the accepted answer:

# Sets a $real_scheme variable whose value is the scheme passed by the load
# balancer in X-Forwarded-Proto (if any), defaulting to $scheme.
# Similar to how the HttpRealIp module treats X-Forwarded-For.
map $http_x_forwarded_proto $real_scheme {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

You would put that into your nginx configuration and then use $real_scheme instead of $scheme for the X-Forwarded-Proto header:

proxy_set_header "X-Forwarded-Proto" $real_scheme;

By default, nginx doesn't do any processing related to secure flag.