Configuring trusted proxies

When you deploy your application, you may be behind a load balancer (e.g. an AWS Elastic Load Balancing) or a reverse proxy (e.g. Nginx).

When a request goes through a proxy, the original request information will be made available by the proxy via the standard Forwarded header or the X-Forwarded-* headers. This means, for instance, that the real IP of the user will not be read from the client of the request but from a standard Forwarded: for="..." header or an X-Forwarded-For header.

By default, Expanse will not look for those headers, which means that if you are using a proxy, you will most likely get incorrect information about the client's IP address, whether the client is connecting via HTTPS, the client's port and the hostname being requested.

Trusting proxies

To trust a proxy, you need to configure the HTTP_TRUSTED_PROXIES setting in your configuration file. This setting is a list of IP addresses or CIDR ranges that should be trusted.

HTTP_TRUSTED_PROXIES=127.0.0.1,192.168.1.1
HTTP_TRUSTED_PROXIES=192.0.0.1,10.0.0.0/8

Trusting headers

Now that you have configured which proxies should be trusted, you need to configure which headers should be trusted. By default, Expanse will trust the Forwarded header and all X-Forwarded-* headers. If you want to specify specific headers to trust, you can do so by configuring the HTTP_TRUSTED_HEADERS setting.

HTTP_TRUSTED_HEADERS=Forwarded
HTTP_TRUSTED_HEADERS=X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port

Enabling the X-Forwarded-Host header exposes the application to HTTP Host header attacks. Make sure the proxy really sends an X-Forwarded-Host header.

For this reason, Expanse does not trust the X-Forwarded-Host header by default.