Express behind proxies代理后面的Express
When running an Express app behind a reverse proxy, some of the Express APIs may return different values than expected. In order to adjust for this, the trust proxy application setting may be used to expose information provided by the reverse proxy in the Express APIs. 在反向代理后运行Express应用程序时,某些Express API可能会返回与预期不同的值。为了对此进行调整,可以使用trust proxy应用程序设置来公开Express API中反向代理提供的信息。The most common issue is express APIs that expose the client’s IP address may instead show an internal IP address of the reverse proxy.最常见的问题是,公开客户端IP地址的express API可能会显示反向代理的内部IP地址。
When configuring the trust proxy setting, it is important to understand the exact setup of the reverse proxy. Since this setting will trust values provided in the request, it is important that the combination of the setting in Express matches how the reverse proxy operates.配置trust proxy设置时,了解反向代理的确切设置非常重要。由于此设置将信任请求中提供的值,因此Express中的设置组合与反向代理的操作方式相匹配非常重要。
The application setting trust proxy may be set to one of the values listed in the following table.应用程序设置信任代理可以设置为下表中列出的值之一。
Type类型 | Value价值 |
|---|
Boolean布尔 |
If true, the client’s IP address is understood as the left-most entry in the X-Forwarded-For header.如果为true,则客户端的IP地址将被理解为X-Forwarded-For标头中最左侧的条目。
If false, the app is understood as directly facing the client and the client’s IP address is derived from req.socket.remoteAddress. This is the default setting.如果为false,则应用程序被理解为直接面向客户端,客户端的IP地址来自req.socket.remoteAddress。这是默认设置。
When setting to true, it is important to ensure that the last reverse proxy trusted is removing/overwriting all of the following HTTP headers: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto, otherwise it may be possible for the client to provide any value.设置为true时,重要的是要确保最后一个受信任的反向代理正在删除/覆盖以下所有HTTP标头:X-Forwarded-For、X-Forwarded-Host和X-Forwarded-Proto,否则客户端可能会提供任何值。
|
IP addressesIP地址 |
An IP address, subnet, or an array of IP addresses and subnets to trust as being a reverse proxy. The following list shows the pre-configured subnet names:作为反向代理信任的IP地址、子网或IP地址和子网数组。以下列表显示了预配置的子网名称:
loopback回环 - 127.0.0.1/8, ::1/128linklocal链接本地 - 169.254.0.0/16, fe80::/10uniquelocal独特性 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7
You can set IP addresses in any of the following ways:您可以通过以下任何一种方式设置IP地址:
app.set('trust proxy', 'loopback') // specify a single subnet
app.set('trust proxy', 'loopback, 123.123.123.123') // specify a subnet and an address
app.set('trust proxy', 'loopback, linklocal, uniquelocal') // specify multiple subnets as CSV
app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']) // specify multiple subnets as an array
When specified, the IP addresses or the subnets are excluded from the address determination process, and the untrusted IP address nearest to the application server is determined as the client’s IP address. 指定后,IP地址或子网将被排除在地址确定过程之外,最靠近应用程序服务器的不受信任的IP地址将被确定为客户端的IP地址。This works by checking if req.socket.remoteAddress is trusted. If so, then each address in X-Forwarded-For is checked from right to left until the first non-trusted address.这是通过检查req.socket.remoteAddress是否可信来实现的。如果是这样,则从右到左检查X-Forwarded-For中的每个地址,直到第一个不受信任的地址。
|
Number数字 |
Use the address that is at most n number of hops away from the Express application. 使用距离Express应用程序最多n跳数的地址。req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left. req.socket.remoteAddress是第一跳,其余的从右到左在X-Forwarded-For标头中查找。A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.值为0意味着第一个不受信任的地址将是req.socket.remoteAddress,即没有反向代理。
When using this setting, it is important to ensure there are not multiple, different-length paths to the Express application such that the client can be less than the configured number of hops away, otherwise it may be possible for the client to provide any value.使用此设置时,重要的是要确保Express应用程序没有多个不同长度的路径,这样客户端可以少于配置的跳数,否则客户端可能会提供任何值。
|
Function函数 |
Custom trust implementation.自定义信任实现。
app.set('trust proxy', (ip) => {
if (ip === '127.0.0.1' || ip === '123.123.123.123') return true // trusted IPs
else return false
})
|
Enabling trust proxy will have the following impact:启用trust proxy将产生以下影响:
-
The value of req.hostname is derived from the value set in the X-Forwarded-Host header, which can be set by the client or by the proxy.req.hostname的值来源于X-Forwarded-Host标头中设置的值,该值可以由客户端或代理设置。
-
X-Forwarded-Proto can be set by the reverse proxy to tell the app whether it is https or http or even an invalid name. This value is reflected by req.protocol.X-Forwarded-Proto可以由反向代理设置,以告诉应用程序它是https还是http,甚至是一个无效的名称。此值由req.protocol反映。
-
The req.ip and req.ips values are populated based on the socket address and X-Forwarded-For header, starting at the first untrusted address.req.ip和req.ips值根据套接字地址和X-Forwarded-For标头填充,从第一个不受信任的地址开始。
The trust proxy setting is implemented using the proxy-addr package. For more information, see its documentation.trust proxy设置是使用proxy-addr包实现的。有关更多信息,请参阅其文档。
