node.js “信任代理”在 express.js 中实际做什么,我需要使用它吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/23413401/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does "trust proxy" actually do in express.js, and do I need to use it?
提问by joeycozza
I am writing an express app that sits behind an nginx server. I was reading through express's documentation and it mentioned the 'trust proxy' setting. All it says is
我正在编写一个位于 nginx 服务器后面的快速应用程序。我正在阅读 express 的文档,它提到了“信任代理”设置。它所说的只是
trust proxy Enables reverse proxy support, disabled by default
trust proxy 启用反向代理支持,默认禁用
I read the little article here that explains Secure Sessions in Node with nginx.
我在这里阅读了一篇小文章,它解释了使用 nginx 在 Node 中的安全会话。
http://blog.nikmartin.com/2013/07/secure-sessions-in-nodejs-with-nginx.html
http://blog.nikmartin.com/2013/07/secure-sessions-in-nodejs-with-nginx.html
So I am curious. Does setting 'trust proxy' to true only matter when using HTTPS? Currently my app is just HTTP between the client and nginx. If I set it to true now, are there any side-effects/repercussions I need to be aware of? Is there any point to setting it true now?
所以我很好奇。仅在使用 HTTPS 时才将“信任代理”设置为 true 吗?目前我的应用程序只是客户端和 nginx 之间的 HTTP。如果我现在将其设置为 true,是否有任何我需要注意的副作用/影响?现在将其设置为 true 有什么意义吗?
采纳答案by Akshat Jiwan Sharma
This is explained in detail in the express behind the proxies guide
这在代理指南后面的快递中有详细解释
By enabling the "trust proxy" setting via app.enable('trust proxy'), Express will have knowledge that it's sitting behind a proxy and that the X-Forwarded-* header fields may be trusted, which otherwise may be easily spoofed.
Enabling this setting has several subtle effects. The first of which is that X-Forwarded-Proto may be set by the reverse proxy to tell the app that it is https or simply http. This value is reflected by req.protocol.
The second change this makes is the req.ip and req.ips values will be populated with X-Forwarded-For's list of addresses.
通过 app.enable('trust proxy') 启用“信任代理”设置,Express 将知道它位于代理后面,并且 X-Forwarded-* 标头字段可能是可信的,否则很容易被欺骗。
启用此设置有几个微妙的效果。第一个是 X-Forwarded-Proto 可能由反向代理设置,以告诉应用程序它是 https 或只是 http。该值由 req.protocol 反映。
这样做的第二个变化是 req.ip 和 req.ips 值将填充 X-Forwarded-For 的地址列表。
回答by anneb
Annotated code to explain use of trust proxy
注释代码来解释信任代理的使用
var express = require('express');
var app = express();
// Set the ip-address of your trusted reverse proxy server such as
// haproxy or Apache mod proxy or nginx configured as proxy or others.
// The proxy server should insert the ip address of the remote client
// through request header 'X-Forwarded-For' as
// 'X-Forwarded-For: some.client.ip.address'
// Insertion of the forward header is an option on most proxy software
app.set('trust proxy', '127.0.0.1');
app.get('/test', function(req, res){
var ip = req.ip; // trust proxy sets ip to the remote client (not to the ip of the last reverse proxy server)
if (ip.substr(0,7) == '::ffff:') { // fix for if you have both ipv4 and ipv6
ip = ip.substr(7);
}
// req.ip and req.protocol are now set to ip and protocol of the client, not the ip and protocol of the reverse proxy server
// req.headers['x-forwarded-for'] is not changed
// req.headers['x-forwarded-for'] contains more than 1 forwarder when
// there are more forwarders between the client and nodejs.
// Forwarders can also be spoofed by the client, but
// app.set('trust proxy') selects the correct client ip from the list
// if the nodejs server is called directly, bypassing the trusted proxies,
// then 'trust proxy' ignores x-forwarded-for headers and
// sets req.ip to the remote client ip address
res.json({"ip": ip, "protocol": req.protocol, "headers": req.headers['x-forwarded-for']});
});
// in this example the reverse proxy is expected to forward to port 3110
var port = 3110;
app.listen(port);
// test through proxy: http://yourproxyserver/test, req.ip should be your client ip
// test direct connection: http://yournodeserver:3110/test, req.ip should be your client ip even if you insert bogus x-forwarded-for request headers
console.log('Listening at http://localhost:' + port);
