NodeJS / Express自动检测SSL over HTTP（HTTPS）解释？ [英] NodeJS/Express automatic detection of SSL over HTTP (HTTPS) explanation?

问题描述

我在NodeJS上使用Express通过HTTPS服务器。

I have a server over HTTPS on NodeJS with Express.

上传文件时，我在控制器中使用了req.protocol指令来获取HTTP或HTTPS的部分，以便我可以使用绝对URL保存文件。问题是没有启用express的信任代理设置（ http ：//expressjs.com/en/api.html#trust.proxy.options.table ），HTTPS未被检测到。

When uploading a file, I have used the req.protocol directive in the controller to get either the HTTP or HTTPS "part" of the URL, so that I can save the file with the absolute URL. The problem is that without enabling the "trust proxy" setting of express (http://expressjs.com/en/api.html#trust.proxy.options.table), HTTPS doesn't get detected.

我以为此设置用于实际重定向（使用HTTP URL和执行301重定向到HTTPS的服务器时）。

I thought this setting was used in the case of the actual redirect (when using the HTTP URL and the server doing the 301 redirect to HTTPS).

所以这更像是一个解释问题，而不是一个解决方案：

So this is more of an explanation question, rather than a solution one:

为什么在通过它调用URL时没有检测到HTTPS？

Why doesn't the HTTPS get detected when calling the URL through that?

推荐答案

信任代理与301重定向无关。

trust proxy has nothing to do with 301 redirects.

在代理后面运行节点服务器时，这些设置很重要：

That settings is important when running your node server behind a proxy:

  +----------HTTPS--------+---HTTP---+
  |                       |          |
client --> internet --> proxy --> node.js

通常在互联网和节点服务器之间有某种代理;例如CDN服务器，负载均衡器或简单的nginx实例等。在客户端和该代理之间建立HTTPS连接。代理关心SSL证书的必要争用和加密连接，并且不会给应用程序服务器（节点）带来这些细节负担。然后，它只通过普通HTTP将请求的相关详细信息转发到您的节点服务器。您的服务器只将代理视为请求的来源，而不是客户端。

It is typical that you have some sort of proxy between the internet and your node server; for example a CDN server, a load balancer, or simply an nginx instance or such. The HTTPS connection is established between the client and that proxy. The proxy cares about the necessary wrangling of the SSL certificate and encrypting the connection and doesn't burden your application server (node) with those details. It is then forwarding only the relevant details of the request via plain HTTP to your node server. Your server only sees the proxy as the origin of the request, not the client.

由于节点服务器本身不处理HTTPS连接，因此它怎么知道客户端和代理之间的连接是HTTPS吗？它不能。代理也需要自愿转发该信息。它在 X-Forwarded - * HTTP标头中这样做。无论是HTTP还是HTTPS的信息都是在 X-Forwarded-Proto 标题中发送的。

Since the node server didn't itself handle the HTTPS connection, how could it know whether the connection between the client and the proxy was HTTPS? It can't. The proxy needs to voluntarily forward that information too. It does so in the X-Forwarded-* HTTP headers. The information whether it was specifically HTTP or HTTPS is sent in the X-Forwarded-Proto header.

是的，那些只是HTTP标头。任何人都可以设置这些标题客户端本身可以设置这些标头。这就是为什么您需要明确选择使用带有信任代理设置的那些标头， iif以及何时您知道您的应用将在代理后面运行设置那些标题。如果您没有在代理服务器后面运行，但您的节点服务器直接暴露在互联网上，则必须关闭该设置;否则任何人都可以设置这些标题，你的服务器会遵守这些标题并导致使用虚假信息。

The thing is, those are just HTTP headers. Anyone can set those headers. The client itself could set those headers. That's why you need to explicitly opt into using those headers with the trust proxy setting, iif and when you know your app will be running behind a proxy which sets those headers. When you're not running behind a proxy but your node server is directly exposed to the internet, you must switch that setting off; otherwise anyone could set those headers, your server would obey those headers and be lead to use false information.

这篇关于NodeJS / Express自动检测SSL over HTTP（HTTPS）解释？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！