我正在编写一个位于nginx服务器后面的express应用程序。我正在阅读express的文档,其中提到了"信任代理"设置。它只说
信任代理启用反向代理支持,默认情况下禁用
我在这里读了一篇小文章,解释了nginx在Node中的安全会话。
http://blog.nikmartin.com/2013/07/secure-sessions-in-nodejs-with-nginx.html
所以我很好奇。将"信任代理"设置为true是否仅在使用HTTPS时才重要?目前,我的应用程序只是客户端和nginx之间的HTTP。如果我现在把它设置为真的,我需要意识到有什么副作用/影响吗?现在把它设定为真有意义吗?
这在代理指南后面的express中有详细解释
通过启用";信托代理人;通过app.enable("信任代理"(设置,Express将知道它位于代理后面,并且X-Forwarded-*标头字段可能是可信的,否则可能很容易被欺骗。
启用此设置会产生一些微妙的效果。第一个是X-Forwarded-Proto可以由反向代理设置,告诉应用程序它是https或简单的http。此值由req.protocol.反映
这做的第二个更改是req.ip和req.ips值将用X-Forwarded-For的地址列表填充。
解释信任代理使用的注释代码
var express = require('express');
var app = express();
// Set the ip-address of your trusted reverse proxy server such as
// haproxy or Apache mod proxy or nginx configured as proxy or others.
// The proxy server should insert the ip address of the remote client
// through request header 'X-Forwarded-For' as
// 'X-Forwarded-For: some.client.ip.address'
// Insertion of the forward header is an option on most proxy software
app.set('trust proxy', '127.0.0.1');
app.get('/test', function(req, res){
var ip = req.ip; // trust proxy sets ip to the remote client (not to the ip of the last reverse proxy server)
if (ip.substr(0,7) == '::ffff:') { // fix for if you have both ipv4 and ipv6
ip = ip.substr(7);
}
// req.ip and req.protocol are now set to ip and protocol of the client, not the ip and protocol of the reverse proxy server
// req.headers['x-forwarded-for'] is not changed
// req.headers['x-forwarded-for'] contains more than 1 forwarder when
// there are more forwarders between the client and nodejs.
// Forwarders can also be spoofed by the client, but
// app.set('trust proxy') selects the correct client ip from the list
// if the nodejs server is called directly, bypassing the trusted proxies,
// then 'trust proxy' ignores x-forwarded-for headers and
// sets req.ip to the remote client ip address
res.json({"ip": ip, "protocol": req.protocol, "headers": req.headers['x-forwarded-for']});
});
// in this example the reverse proxy is expected to forward to port 3110
var port = 3110;
app.listen(port);
// test through proxy: http://yourproxyserver/test, req.ip should be your client ip
// test direct connection: http://yournodeserver:3110/test, req.ip should be your client ip even if you insert bogus x-forwarded-for request headers
console.log('Listening at http://localhost:' + port);
TLDR:应用程序设置信任代理仅用于express应用程序位于代理之后的情况。当有代理时启用此功能有助于通过众所周知的标头(主要是X-Forwarded-For、X-Forwarded-Proto(解析以下属性
- 需求ips
- 请求主机名
- 请求协议
更多详细信息
在搜索信任代理对快速会话的真正作用时,我来到了这里。没有一个答案对我有帮助。
默认值-false(禁用(
IMO最好的文档是在应用程序设置
信任代理
指示应用程序位于前置代理之后,并使用X-Forwarded-*标头,用于确定连接和IP地址客户的。注意:X-Forwarded-*标头很容易被欺骗检测到的IP地址不可靠。
启用后,Express会尝试确定通过前置代理或一系列代理连接的客户端。
req.ips
属性,然后包含一个IP地址数组客户端通过连接。要启用它,请使用中所述的值信任代理选项表。
trust proxy
设置是使用代理addr包实现的。有关更多信息,请参阅其文档。注意:子应用程序将继承此设置的值,即使它具有默认值。
p.s-如果您想了解这对快速会话有何帮助,则需要启用信任代理才能获得req.secure
由于问题中提到了nginx
,请注意,在您的nginx conf(例如/etc/nginx/sites-enabled/default(中,您还需要显式设置头变量,以便将其传递到表达式:
proxy_set_header X-Forwarded-For $remote_addr;
location /api/ {
proxy_pass "http://127.0.0.1:8000";
}
这是所需的最低限度,然而,通过使用与上游服务器的持久连接区域,下面这样的操作会更快:
upstream backendAPI {
zone upstreamZone 64K;
server 127.0.0.1:8000 weight=1 max_fails=2 fail_timeout=4s;
keepalive 2;
}
proxy_set_header X-Forwarded-For $remote_addr;
location /api/ {
proxy_pass http://backendAPI;
proxy_http_version 1.1;
proxy_set_header "Connection" "";
}
然后,您可以在express服务器的请求对象中启用用户的(假定的(IP地址;"信托代理人":
const app = express();
app.set("trust proxy", true); // populate req.ip
// you can also name the proxy servers ips for increased security:
// app.set("trust proxy", "127.0.0.1");
// app.set("trust proxy", "192.168.3.3");
app.get("/api/myIP", (req, res) => {
const ip = req.ip;
return res.json({ ip });
});
app.listen(8000);