问题
When setting the application variable trust proxy, does the second argument in app.set mean that the server trusts all the requests FROM 127.0.0.1 or TO 127.0.0.1?
For example:
app.set('trust proxy', 'loopback');
// or
app.set('trust proxy', '127.0.0.1');
and then
var sess = {
proxy: true
cookie: {
httpOnly: true,
secure: true
}
}
According to the documentation, several types of value are allowed as the second argument:
Boolean
If true, the client’s IP address is understood as the left-most entry in the X-Forwarded-* header.
If false, the app is understood as directly facing the Internet and the client’s IP address is derived from req.connection.remoteAddress. This is the default setting.
IP addresses
An IP address, subnet, or an array of IP addresses and subnets to trust. The following list shows the pre-configured subnet names
回答1:
I believe this would be for inbound requests (i.e., from 127.0.0.1).
The documentation you linked to is talking about running an Express app behind a proxy. When the requests hit the proxy, the proxy routs the requests to the app, and the app sees the proxy's IP address instead of the original client's IP address.
Setting trust proxy fixes that problem by ignoring the proxy's IP address (in one way or another), as the documentation explains.
来源:https://stackoverflow.com/questions/36137873/using-app-set-to-set-trust-proxy