Node.js express-session 代理选项有什么作用? [英] Node.js express-session what does the proxy option do?

问题描述

app.use(session(
  {
    ...
    proxy: true,
    resave: true,
    saveUninitialized: true
  }
));

我找到了一个关于 express-session 的教程，他们有一个 proxy: true 选项.我可以让它保持真实吗?这有什么作用?包括它更好吗?我知道什么是代理，但我真的不明白为什么这是一个选项?

I found a tutorial on express-session and they have an proxy: true option. Can I leave it on true? What does this do? Is it better to include it? I know what a proxy is however I don't really get why this is an option?

推荐答案

精美手册 指出:

在设置安全 cookie 时信任反向代理(通过X-Forwarded-Proto"标头).

Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header).

这是指客户端不直接连接到您的 Node 服务器，而是通过反向代理连接的情况.例如，客户端连接到 NGINX 网络服务器，该服务器将请求转发到节点服务器；在这种情况下，NGINX 是反向代理.

This refers to situations where clients don't connect directly to your Node server, but through a reverse proxy. For instance, clients connect to an NGINX webserver, which forwards the requests to a Node server; NGINX, in this situation, is the reverse proxy.

在反向代理设置中，客户端通过 HTTPS 与反向代理通信，而代理使用纯 HTTP 与节点服务器通信也很常见.

In reverse proxy setups, it's also quite common that the client communicates with the reverse proxy over HTTPS, yet the proxy communicates with the Node server using plain HTTP.

当您将会话中间件配置为使用所谓的安全 cookie"(记录在此处).会话中间件不允许通过纯 HTTP 发送这些 cookie，但要求通过 HTTPS 发送.如果您的反向代理通过 HTTP 与您的 Node 服务器通信，这意味着您将无法使用安全 cookie.

This is an issue when you configure the session middleware to use so-called "secure cookies" (documented here). The session middleware won't allow these cookies being sent over plain HTTP but requires that they are sent over HTTPS. If your reverse proxy communicates with your Node server over HTTP, this would mean you won't be able to use secure cookies.

为了解决这个问题，反向代理会为它转发的每个请求设置X-Forwarded-Proto标头.它告诉 Node 服务器请求的原始协议是什么，而不管反向代理连接到 Node 服务器的方式.

To solve this problem, the reverse proxy will set the X-Forwarded-Proto header to every request it forwards. It tells the Node server what the original protocol of the request was, regardless of the way the reverse proxy connects to the Node server.

使用会话中间件的 proxy 选项，您告诉它信任此标头并允许通过普通 HTTP 发送安全 cookie，前提是 X-Forwarded-Proto 设置为 https.

With the proxy option of the session middleware, you're telling it to trust this header and allow secure cookies being sent over plain HTTP, provided that X-Forwarded-Proto is set to https.

如果您直接公开您的 Node 服务器(以便客户端连接到它)，您应该将此选项设置为 false，否则，客户端可以欺骗您的服务器(通过发送一个 X-Forwarded-Proto 标头本身)认为连接是安全的.但是，如果您无论如何都不使用安全 cookie，那也没有关系.

If you are exposing your Node server directly (so clients connect to it), you should set this option to false, because otherwise, a client can fool your server (by sending a X-Forwarded-Proto header itself) into thinking that the connection was secure. However, if you're not using secure cookies anyway, it won't really matter.

这篇关于Node.js express-session 代理选项有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！