node package manager

connect-proxy

Retrieve originating ip/host values when proxying to your connect app

Connect-Proxy

Connect-Proxy is a middleware layer for Connect (running on node.js) that retrieves originating IP/Host values when proxying to your connect app.

Purpose

When proxying to node (often done because of host/port restrictions, albeit the shortcomings of this approach), the IP address at req.socket.remoteAddress is the IP of the proxy server and req.headers.host is the internal hostname:port of the node server, e.g. localhost:3000.

This middleware allows you to use your connect-based app regardless of your node installation being proxied to. It also helps you utilize features of connect and Express that depend on the described header values and would otherwise lead to unexpected results:

  • Logging :remote-addr: The address logged by using the :remote-addr-Token of connects logger middleware is no longer the address of the proxy, but the address of the user
  • Redirecting to '/': When redirecting to relative URLs, express prepends protocol and host before redirecting. the prepended host is taken from req.headers.host which leads to redirects to http://localhost:port/ when proxying locally (e.g. proxying through apache)

It does so by replacing properties of the req object with values taken from special headers containing the originating IP address and the host name that was originally accessed. Most proxies send these kind of headers, usually x-forwarded-for and x-forwarded-host . These headers can be comma separated lists in case of multiple proxies, with the left-most being the originating value.

Docs: Apache, Nginx, Squid

Install

npm install connect-proxy

Usage

Require the module:

var proxy = require('connect-proxy');

Use the middleware by calling realValues with an options object:

app.configure(function() {
  app.use(proxy.realValues({
    trusted: '141.10.214.0/24',
    ipHeader: 'x-real-ip'
  }));
}

Options

  • trusted {String} request headers can be faked. this option option tells connect-proxy to only trust the given proxy ip or ip-range. ip-ranges must be written in CIDR notation. defaults to '127.0.0.1' if not set or wrong format.
  • strict {Boolean} strict mode, defaults to true. when an untrusted ip-address is found, connect-proxy will throw an error. if this is set to false, no error will be thrown and proxy headers will be ignored.
  • ipHeader {String} header property in which originating ip address and additional proxy ip addresses are defined. defaults to 'x-forwarded-for'
  • hostHeader {String} header property in which originating host and additional proxy hosts are defined. defaults to 'x-forwarded-host'

Connect Compatibility

Works with Connect@1.3.0 - if someone finds out more, drop me a line.

License

View the LICENSE file.