When running an Express app behind a proxy, set (by using app.set()) the application variable trust proxy to one of the values listed in the following table.
Although the app will not fail to run if the application variable trust proxy is not set, it will incorrectly register the proxy’s IP address as the client IP address unless trust proxy is configured.
| Type | Value |
|---|---|
| Boolean | If If |
| IP addresses | An IP address, subnet, or an array of IP addresses and subnets to trust. The following list shows the pre-configured subnet names:
You can set IP addresses in any of the following ways: app.set('trust proxy', 'loopback') // specify a single subnet
app.set('trust proxy', 'loopback, 123.123.123.123') // specify a subnet and an address
app.set('trust proxy', 'loopback, linklocal, uniquelocal') // specify multiple subnets as CSV
app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']) // specify multiple subnets as an array
When specified, the IP addresses or the subnets are excluded from the address determination process, and the untrusted IP address nearest to the application server is determined as the client’s IP address. |
| Number | Trust the |
| Function | Custom trust implementation. Use this only if you know what you are doing. app.set('trust proxy', function (ip) {
if (ip === '127.0.0.1' || ip === '123.123.123.123') return true; // trusted IPs
else return false;
});
|
Setting a non-false trust proxy value results in three important changes:
-
The value of req.hostname is derived from the value set in the
X-Forwarded-Hostheader, which can be set by the client or by the proxy. -
X-Forwarded-Protocan be set by the reverse proxy to tell the app whether it ishttpsorhttpor even an invalid name. This value is reflected by req.protocol. -
The req.ip and req.ips values are populated with the list of addresses from
X-Forwarded-For.
The trust proxy setting is implemented using the proxy-addr package. For more information, see its documentation.
Please login to continue.