Fix req.protocol for proxy-direct connections

fixes #2252
2025-12-06 12:19:51 +01:00 · 2014-07-18 11:33:16 -04:00 · 2014-07-18 11:33:16 -04:00 · 11c74d72eb
commit 11c74d72eb
parent 035685918c
3 changed files with 24 additions and 5 deletions
--- a/History.md
+++ b/History.md
@ -1,6 +1,7 @@
 unreleased
 ==========

+  * fix `req.protocol` for proxy-direct connections
  * configurable query parser with `app.set('query parser', parser)`
    - `app.set('query parser', 'extended')` parse with "qs" module
    - `app.set('query parser', 'simple')` parse with "querystring" core module
--- a/lib/request.js
+++ b/lib/request.js
@ -244,7 +244,9 @@ req.is = function(types){
 * Return the protocol string "http" or "https"
 * when requested with TLS. When the "trust proxy"
 * setting trusts the socket address, the
- * "X-Forwarded-Proto" header field will be trusted.
+ * "X-Forwarded-Proto" header field will be trusted
+ * and used if present.
+ *
 * If you're running behind a reverse proxy that
 * supplies https for you this may be enabled.
 *
@ -253,17 +255,18 @@ req.is = function(types){
 */

 defineGetter(req, 'protocol', function protocol(){
+  var proto = this.connection.encrypted
+    ? 'https'
+    : 'http';
  var trust = this.app.get('trust proxy fn');

  if (!trust(this.connection.remoteAddress)) {
-    return this.connection.encrypted
-      ? 'https'
-      : 'http';
+    return proto;
  }

  // Note: X-Forwarded-Proto is normally only ever a
  //       single value, but this is to be safe.
-  var proto = this.get('X-Forwarded-Proto') || 'http';
+  proto = this.get('X-Forwarded-Proto') || proto;
  return proto.split(/\s*,\s*/)[0];
 });

--- a/test/req.protocol.js
+++ b/test/req.protocol.js
@ -32,6 +32,21 @@ describe('req', function(){
        .expect('https', done);
      })

+      it('should default to the socket addr if X-Forwarded-Proto not present', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function(req, res){
+          req.connection.encrypted = true;
+          res.end(req.protocol);
+        });
+
+        request(app)
+        .get('/')
+        .expect('https', done);
+      })
+
      it('should ignore X-Forwarded-Proto if socket addr not trusted', function(done){
        var app = express();