1

When setting the application variable trust proxy, does the second argument in app.set mean that the server trusts all the requests FROM 127.0.0.1 or TO 127.0.0.1?

For example:

app.set('trust proxy', 'loopback');

// or
app.set('trust proxy', '127.0.0.1');

and then

var sess = {
    proxy: true
     cookie: {
      httpOnly: true,
      secure: true
    }
}

According to the documentation, several types of value are allowed as the second argument:

Boolean

If true, the client’s IP address is understood as the left-most entry in the X-Forwarded-* header.

If false, the app is understood as directly facing the Internet and the client’s IP address is derived from req.connection.remoteAddress. This is the default setting.

IP addresses

An IP address, subnet, or an array of IP addresses and subnets to trust. The following list shows the pre-configured subnet names

Andrew Myers
  • 2,754
  • 5
  • 32
  • 40
PijusV
  • 63
  • 1
  • 10

1 Answers1

7

I believe this would be for inbound requests (i.e., from 127.0.0.1).

The documentation you linked to is talking about running an Express app behind a proxy. When the requests hit the proxy, the proxy routs the requests to the app, and the app sees the proxy's IP address instead of the original client's IP address.

Setting trust proxy fixes that problem by ignoring the proxy's IP address (in one way or another), as the documentation explains.

Andrew Myers
  • 2,754
  • 5
  • 32
  • 40
  • thanks! I wasn't sure how will I need to adjust my express configuration when going to production. But your explanation really cleared it up for me. – PijusV Mar 28 '16 at 19:18