Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow reading Forwarded header as alternative to X-Forwarded- #5459

Closed
chriswilty opened this issue Feb 8, 2024 · 3 comments
Closed

Allow reading Forwarded header as alternative to X-Forwarded- #5459

chriswilty opened this issue Feb 8, 2024 · 3 comments

Comments

@chriswilty
Copy link

A few service providers / proxy servers are beginning to use Forwarded header instead of X-Forwarded-For and related headers. This includes AWS's HTTP API Gateway.

Express does not currently support this header, and I can see no way of hooking up the trust proxy mechanism manually to parse this header, so I am a bit stuffed.

Can you either provide a config setting to use this header for trust proxy, or suggest an alternative way to get this to work?
@dougwilson
Copy link
Contributor

Just to answer the latter part, you can use any mechanism you need to get the proxy IP, you are not limited to x-forwarded-for only. Just define your own custom req.ip to do what you need https://expressjs.com/en/guide/overriding-express-api.html

@chriswilty
Copy link
Author

Thanks for the rapid response! That looks really promising, if I am allowed to overwrite the req.ip and req.secure flags. I couldn't find any reference to which Request properties are in which category (assigned or getters), but I'll see if those work for me....

@chriswilty
Copy link
Author

chriswilty commented Feb 9, 2024
edited

Works an absolute treat 🥳

secure-yessss

For anyone else coming here, I overrode request.protocol rather than request.secure. Code works for my use case - I can trust the left-most entry in Forwarded header, and can ignore X-Forwarded headers - but adapt as necessary.

const parseForwardedHeader = (request: typeof app.request) =>
	request.header('Forwarded')
		?.split(",")
		.flatMap((proxy) => proxy.split(';'))
		.reduce((result, proxyProps) => {
			const [key, value] = proxyProps.split('=');
			if (key && value) {
				result[key] = (result[key] || []).concat(value);
			}
			return result;
		}, {} as Record<string, string[]>);

Object.defineProperties(app.request, {
	'ip': {
		configurable: true,
		enumerable: true,
		get() {
			const proxies = parseForwardedHeader(this as typeof app.request);
			return proxies?.['for']?.[0] ?? this.socket.remoteAddress;
		},
	},
	'protocol': {
		configurable: true,
		enumerable: true,
		get() {
			const proxies = parseForwardedHeader(this as typeof app.request);
			return proxies?.['proto']?.[0] ?? this.socket.encrypted ? 'https' : 'http';
		},
	},
});

Importantly, for this use case don't enable trust proxy in case any in-between proxies are adding X-Forwarded- headers.

@IamLizu IamLizu converted this issue into discussion #5861 Aug 24, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougwilson @chriswilty