Express behind proxies代理背后的Express
When running an Express app behind a reverse proxy, some of the Express APIs may return different values than expected. 在反向代理后运行Express应用程序时,某些Express API可能会返回与预期不同的值。In order to adjust for this, the trust proxy application setting may be used to expose information provided by the reverse proxy in the Express APIs. 为了对此进行调整,可以使用trust proxy应用程序设置在Express API中公开反向代理提供的信息。The most common issue is express APIs that expose the client’s IP address may instead show an internal IP address of the reverse proxy.最常见的问题是暴露客户端IP地址的express API可能会显示反向代理的内部IP地址。
When configuring the trust proxy setting, it is important to understand the exact setup of the reverse proxy. 配置trust proxy设置时,了解反向代理的确切设置非常重要。Since this setting will trust values provided in the request, it is important that the combination of the setting in Express matches how the reverse proxy operates.由于此设置将信任请求中提供的值,因此Express中的设置组合必须与反向代理的操作方式相匹配。
The application setting trust proxy may be set to one of the values listed in the following table.应用程序设置trust proxy可以设置为下表中列出的值之一。
Type类型 | Value值 |
|---|
| Boolean |
If true, the client’s IP address is understood as the left-most entry in the X-Forwarded-For header.如果为true,则客户端的IP地址被理解为X-Forwarded-For报头中最左侧的条目。
If false, the app is understood as directly facing the client and the client’s IP address is derived from req.socket.remoteAddress. 如果为false,则该应用程序被理解为直接面向客户端,客户端的IP地址从req.socket.remoteAddress派生。This is the default setting.这是默认设置。
When setting to true, it is important to ensure that the last reverse proxy trusted is removing/overring all of the following HTTP headers: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto otherwise it may be possible for the client to provide any value.设置为true时,确保最后一个受信任的反向代理正在删除/覆盖以下所有HTTP头非常重要:X-Forwarded-For、X-Forwarded-Host和X-Forwarded-Proto,否则客户端可能会提供任何值。
|
| IP addresses |
An IP address, subnet, or an array of IP addresses and subnets to trust as being a reverse proxy. 作为反向代理信任的IP地址、子网或IP地址和子网数组。The following list shows the pre-configured subnet names:以下列表显示了预配置的子网名称:
- loopback -
127.0.0.1/8, ::1/128
- linklocal -
169.254.0.0/16, fe80::/10
- uniquelocal -
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7
You can set IP addresses in any of the following ways:您可以通过以下任一方式设置IP地址:
app.set('trust proxy', 'loopback') // 指定单个子网
app.set('trust proxy', 'loopback, 123.123.123.123') // 指定子网和地址
app.set('trust proxy', 'loopback, linklocal, uniquelocal') // 将多个子网指定为CSV
app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']) // 将多个子网指定为一个数组
When specified, the IP addresses or the subnets are excluded from the address determination process, and the untrusted IP address nearest to the application server is determined as the client’s IP address. 指定后,IP地址或子网将从地址确定过程中排除,距离应用程序服务器最近的不受信任IP地址将被确定为客户端的IP地址。This works by checking if req.socket.remoteAddress is trusted. If so, then each address in X-Forwarded-For is checked from right to left until the first non-trusted address.这是通过检查req.socket.remoteAddress是否可信来实现的。如果是,则从右到左检查X-Forwarded-For中的每个地址,直到第一个不受信任的地址。
|
| Number |
Use the address that is at most n number of hops away from the Express application. 使用距离Express应用程序最多n个跃点的地址。req.socket.remoteAddress is the first hop, and the rest are looked for in the X-Forwarded-For header from right to left. 是第一个跃点,其余的从右到左在X-Forwarded-for标头中查找。A value of 0 means that the first untrusted address would be req.socket.remoteAddress, i.e. there is no reverse proxy.值为0表示第一个不受信任的地址是req.socket.remoteAddress,即没有反向代理。
When using this setting, it is important to ensure there are not multiple, different-length paths to the Express application such that the client can be less than the configured number of hops away, otherwise it may be possible for the client to provide any value.使用此设置时,务必确保Express应用程序没有多条不同长度的路径,以便客户端可以小于配置的跳数,否则客户端可能会提供任何值。
|
| Function |
Custom trust implementation.自定义信任实现。
app.set('trust proxy', function (ip) {
if (ip === '127.0.0.1' || ip === '123.123.123.123') return true // trusted IPs
else return false
})
|
Enabling trust proxy will have the following impact:启用trust proxy将产生以下影响:
The value of req.hostname is derived from the value set in the X-Forwarded-Host header, which can be set by the client or by the proxy.req.hostname的值源自X-Forwarded-Host标头中设置的值,该值可由客户端或代理设置。X-Forwarded-Proto can be set by the reverse proxy to tell the app whether it is https or http or even an invalid name. 可由反向代理设置,以告知应用程序它是https还是http,甚至是无效名称。This value is reflected by req.protocol.该值由req.protocol反映。The req.ip and req.ips values are populated based on the socket address and X-Forwarded-For header, starting at the first untrusted address.req.ip和req.ips值根据套接字地址和X-Forwarded-For报头填充,从第一个不受信任的地址开始。
The trust proxy setting is implemented using the proxy-addr package. trust proxy设置是使用proxy-addr包实现的。For more information, see its documentation.有关更多信息,请参阅其文档。
