部署到heroku时express-rate-limit不起作用

Question

我在本地主机上运行这段代码(发送只有express-rate- limit没有问题)，但当我将它部署/推送到我的heroku应用程序并执行post请求时，它超过了最大限制3。

const router = require('express').Router();
const nodemailer = require('nodemailer');
const rateLimit = require("express-rate-limit");

const apiLimit = rateLimit({
    windowMs: 24 * 60 * 60 * 1000, // 24 hrs
    max: 3, // limit each IP to 3 requests per windowMs
    message: "Spam detected!"
});

router.route('/').post(apiLimit,(req, res) => {

    const transport = nodemailer.createTransport({
        service: 'gmail',
        host : "smtp.gmail.com",
        port : "465",
        ssl : true,
        auth: {
        user: process.env.USER,
        pass: process.env.PASS
    }
    });

    const mailOptions = {
        from: '',
        to: '<myemail>',
        subject: req.body.subject,
        text: "FROM: "+ req.body.email + " MESSAGE: " + req.body.message
    };

    transport.sendMail(mailOptions, (err, info) => {
        err ? res.json(res.status(400).json("Error " + err)) : res.json("Email sent.");
    });

});

module.exports = router ;

在本地主机上提供服务是有效的，当我的请求超过3倍时，它会返回检测到垃圾邮件的消息，并且不再发送邮件。当我在vscode上使用rest api扩展时，显示如下。如果我多做几个post请求，X-Ratelimit-Remaining: 2不会改变。

HTTP/1.1 200 OK
Server: Cowboy
Connection: close
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-Ratelimit-Limit: 3
X-Ratelimit-Remaining: 2
Date: Sun, 21 Jun 2020 03:09:11 GMT
X-Ratelimit-Reset: 1592793933
Content-Type: application/json; charset=utf-8
Content-Length: 13
Etag: W/"d-EBrE0f9LbjD0DZTwvOVLMa8Lqo8"
Via: 1.1 vegur

"Email sent."

Answer 1

在heroku上运行express-rate-limit模块时，似乎没有为客户端获取正确的IP地址。也许是因为heroku在你的服务器前使用了代理？

根据express-rate-limit documentation

// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
// see https://expressjs.com/en/guide/behind-proxies.html
// app.set('trust proxy', 1);

因此，看起来您可能需要：

app.set('trust proxy', 1);

这将导致req.ip和req.ips值填充来自X-Forwarded-For报头的地址列表，这可能是express-rate-limiter在代理后面运行时所需要的。