Node.js express-session代理选项有什么作用? [英] Node.js express-session what does the proxy option do?

问题描述

app.use(session(
  {
    ...
    proxy: true,
    resave: true,
    saveUninitialized: true
  }
));

我找到了一个关于快速会话的教程，并且它们有一个proxy:true选项.我可以保留为真吗?这是做什么的?包含它更好吗?我知道什么是代理，但是我不明白为什么要选择这种代理?

I found a tutorial on express-session and they have an proxy: true option. Can I leave it on true? What does this do? Is it better to include it? I know what a proxy is however I don't really get why this is an option?

推荐答案

精细手册状态:

设置安全Cookie(通过"X-Forwarded-Proto"标头)时信任反向代理.

Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

这是指客户端不通过反向代理直接连接到您的节点服务器的情况.例如，客户端连接到NGINX Web服务器，该服务器将请求转发到Node服务器.在这种情况下，NGINX是反向代理.

This refers to situations where clients don't connect directly to your Node server, but through a reverse proxy. For instance, clients connect to an NGINX webserver, which forwards the requests to a Node server; NGINX, in this situation, is the reverse proxy.

在反向代理设置中，客户端通过HTTPS与反向代理进行通信也是很常见的，但是该代理使用纯HTTP与Node服务器进行通信.

In reverse proxy setups, it's also quite common that the client communicates with the reverse proxy over HTTPS, yet the proxy communicates with the Node server using plain HTTP.

当您配置会话中间件以使用所谓的安全cookie" (记录在此处).会话中间件不允许这些Cookie通过纯HTTP发送，但要求它们必须通过HTTPS发送.如果您的反向代理通过HTTP与Node服务器通信，则意味着您将无法使用安全cookie.

This is an issue when you configure the session middleware to use so-called "secure cookies" (documented here). The session middleware won't allow these cookies being sent over plain HTTP but requires that they are sent over HTTPS. If your reverse proxy communicates with your Node server over HTTP, this would mean you won't be able to use secure cookies.

为解决此问题，反向代理会将X-Forwarded-Proto标头设置为其转发的每个请求.它告诉节点服务器请求的原始协议是什么，而不管反向代理连接到节点服务器的方式如何.

To solve this problem, the reverse proxy will set the X-Forwarded-Proto header to every request it forwards. It tells the Node server what the original protocol of the request was, regardless of the way the reverse proxy connects to the Node server.

使用会话中间件的proxy选项，您要告诉它信任此标头并允许通过纯HTTP发送安全cookie，前提是X-Forwarded-Proto设置为https.

With the proxy option of the session middleware, you're telling it to trust this header and allow secure cookies being sent over plain HTTP, provided that X-Forwarded-Proto is set to https.

如果直接暴露节点服务器(以便客户端连接到该服务器)，则应将此选项设置为false，因为否则，客户端会欺骗您的服务器(通过发送自己的X-Forwarded-Proto标头)来思考连接是安全的.但是，如果您仍然不使用安全cookie，那将不会有什么大碍.

If you are exposing your Node server directly (so clients connect to it), you should set this option to false, because otherwise, a client can fool your server (by sending a X-Forwarded-Proto header itself) into thinking that the connection was secure. However, if you're not using secure cookies anyway, it won't really matter.

这篇关于Node.js express-session代理选项有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！