Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

NodeJS, Express, why should I use app.enable('trust proxy');

I was needed to redirect http to https and found this code:

app.enable('trust proxy');
app.use((req, res, next) => {
    if (req.secure) {
        next();
    } else {
        res.redirect('https://' + req.headers.host + req.url);
    }
});

I'm using heroku to host my project, I noticed that heroku as default issued *.herokuapp.com cert, so I can use http and https as well.

When looked at req.secure within app.use callback, without app.enable('trust proxy'), req.secure is always false, when I add app.enable('trust proxy') it's false for about 2 times and after the https redirection it's switches to true.

app.enable('trust proxy'), the docs:

Indicates the app is behind a front-facing proxy, and to use the X-Forwarded-* headers to determine the connection and the IP address of the client.

My question:

Why would my server be behind a proxy?(is it relates to the issued *.herokuapp.com cert?), if someone could explain how all fits together, I mean, why my server is behind a proxy? and why without app.enable express won't identify(or accept) secure connection?

like image 527
Aviel Fedida Avatar asked Oct 08 '16 07:10

Aviel Fedida


People also ask

What does app set trust proxy do?

By enabling the "trust proxy" setting via app. enable('trust proxy'), Express will have knowledge that it's sitting behind a proxy and that the X-Forwarded-* header fields may be trusted, which otherwise may be easily spoofed.

Why we use app set in Express?

The app. set() function is used to assigns the setting name to value. You may store any value that you want, but certain names can be used to configure the behavior of the server.

Why we use app get in node JS?

The app. get() function routes the HTTP GET Requests to the path which is being specified with the specified callback functions. Basically it is intended for binding the middleware to your application.

Why do we need to separate the Express APP and server?

Applying a similar concept to the project structuring of Express, the separation of the application logic from the server allows the code to be modular and follow a MVC (Model-View-Controller) model. The separation is essential to reduce coupling and to encapsulate and abstract the inside logic of application.


1 Answers

If your not running behind a proxy, it's not required. Eg, if your running multiple websites on a server, chances are your using a Proxy.

X-Forwarded-For header attributes get added when doing this so that your proxy can see what the original url was, proxying in the end will be going to localhost you see. The reason why it's needed is that X-Forwared-For can be faked, there is nothing stopping the client adding these too, not just a proxy. So trust-proxy should only be enabled on the receiving end, that would be behind your firewall. Because you have control, you can trust this.

So in a nutshell, if your website is running behind a proxy, you can enable it. If you website is running direct on port 80, you don't want to trust it. As the sender could pretend to be coming from localhost etc.

like image 68
Keith Avatar answered Sep 29 '22 20:09

Keith