NodeJS / Express通过HTTP自动检测SSL(HTTPS)的解释?
[英]NodeJS/Express automatic detection of SSL over HTTP (HTTPS) explanation?
问题描述
I have a server over HTTPS on NodeJS with Express. 
我在带有Express的NodeJS上通过HTTPS拥有服务器。
When uploading a file, I have used the req.protocol directive in the controller to get either the HTTP or HTTPS "part" of the URL, so that I can save the file with the absolute URL. 上载文件时,我已在控制器中使用req.protocol指令来获取URL的HTTP或HTTPS“部分”,以便可以使用绝对URL保存文件。 The problem is that without enabling the "trust proxy" setting of express ( http://expressjs.com/en/api.html#trust.proxy.options.table ), HTTPS doesn't get detected. 问题在于,如果未启用express( http://expressjs.com/en/api.html#trust.proxy.options.table )的“信任代理”设置,则不会检测到HTTPS。
I thought this setting was used in the case of the actual redirect (when using the HTTP URL and the server doing the 301 redirect to HTTPS). 我认为此设置是在实际重定向的情况下使用的(使用HTTP URL并且服务器将301重定向到HTTPS时)。
So this is more of an explanation question, rather than a solution one: 因此,这更多是一个解释性问题,而不是解决方案:
Why doesn't the HTTPS get detected when calling the URL through that? 为什么通过URL调用URL时未检测到HTTPS?
1 个解决方案
解决方案1
1 已采纳 2017-10-11 08:30:25
trust proxy has nothing to do with 301 redirects. trust proxy与301重定向无关。
That settings is important when running your node server behind a proxy : 当在代理后面运行节点服务器时,这些设置很重要:
+----------HTTPS--------+---HTTP---+
| | |
client --> internet --> proxy --> node.js
It is typical that you have some sort of proxy between the internet and your node server; 通常,您在Internet和节点服务器之间具有某种代理。 for example a CDN server, a load balancer, or simply an nginx instance or such. 例如CDN服务器,负载平衡器,或者仅仅是nginx实例等。 The HTTPS connection is established between the client and that proxy. 在客户端和该代理之间建立HTTPS连接。 The proxy cares about the necessary wrangling of the SSL certificate and encrypting the connection and doesn't burden your application server (node) with those details. 代理关心SSL证书的必要处理和对连接进行加密,并且不会给您的应用服务器(节点)增加这些细节。 It is then forwarding only the relevant details of the request via plain HTTP to your node server. 然后,它将通过纯HTTP仅将请求的相关详细信息转发到您的节点服务器。 Your server only sees the proxy as the origin of the request, not the client. 您的服务器仅将代理视为请求的源,而不是客户端。
Since the node server didn't itself handle the HTTPS connection, how could it know whether the connection between the client and the proxy was HTTPS? 由于节点服务器本身不处理HTTPS连接,因此如何知道客户端和代理之间的连接是否为HTTPS? It can't. 不可以 The proxy needs to voluntarily forward that information too. 代理也需要自愿转发该信息。 It does so in the X-Forwarded-* HTTP headers. 它在X-Forwarded-* HTTP标头中执行此操作。 The information whether it was specifically HTTP or HTTPS is sent in the X-Forwarded-Proto header. X-Forwarded-Proto标头中发送的信息是专门用于HTTP还是HTTPS。
The thing is, those are just HTTP headers. 事实是,这些只是HTTP标头。 Anyone can set those headers. 任何人都可以设置这些标题。 The client itself could set those headers. 客户端本身可以设置这些标头。 That's why you need to explicitly opt into using those headers with the trust proxy setting, iif and when you know your app will be running behind a proxy which sets those headers. 这就是为什么您需要在trust proxy设置中明确选择使用这些标头, 以及如果您知道您的应用将在设置这些标头的代理后面运行时使用。 When you're not running behind a proxy but your node server is directly exposed to the internet, you must switch that setting off; 如果您没有在代理后面运行,但是您的节点服务器直接暴露在Internet上,则必须将该设置关闭; otherwise anyone could set those headers, your server would obey those headers and be lead to use false information. 否则任何人都可以设置这些标头,那么您的服务器将服从那些标头,并导致使用虚假信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.