parse-community · drew-gross · Oct 17, 2016 · Jul 10, 2016 · Jul 10, 2016 · Jul 10, 2016
diff --git a/Parse-Dashboard/app.js b/Parse-Dashboard/app.js
@@ -48,13 +48,13 @@ function checkIfIconsExistForApps(apps, iconsFolder) {
   }
 }
 
-module.exports = function(config, allowInsecureHTTP, trustProxy) {
+module.exports = function(config, allowInsecureHTTP) {
   var app = express();
   // Serve public files.
   app.use(express.static(path.join(__dirname,'public')));
 
   // Allow setting via middleware
-  if (trustProxy && app.disabled('trust proxy')) {
+  if (config.trustProxy && app.disabled('trust proxy')) {
     app.enable('trust proxy');
   }
 

diff --git a/Parse-Dashboard/index.js b/Parse-Dashboard/index.js
@@ -34,6 +34,11 @@ const mountPath = program.mountPath || process.env.MOUNT_PATH || '/';
 const allowInsecureHTTP = program.allowInsecureHTTP || process.env.PARSE_DASHBOARD_ALLOW_INSECURE_HTTP;
 const trustProxy = program.trustProxy || process.env.PARSE_DASHBOARD_TRUST_PROXY;
 
+if (trustProxy && allowInsecureHTTP) {
+  console.log("Set only trustProxy *or* allowInsecureHTTP, not both.  Only one is needed to handle being behind a proxy.");
+  process.exit(-1);
+}
+
 let explicitConfigFileProvided = !!program.config;
 let configFile = null;
 let configFromCLI = null;
@@ -108,7 +113,9 @@ p.then(config => {
   const app = express();
 
   if (allowInsecureHTTP || trustProxy) app.enable('trust proxy');
-  app.use(mountPath, parseDashboard(config.data, allowInsecureHTTP, trustProxy));
+
+  config.data.trustProxy = trustProxy;
+  app.use(mountPath, parseDashboard(config.data, allowInsecureHTTP));
   if(!configSSLKey || !configSSLCert){
     // Start the server.
     const server = app.listen(port, host, function () {

diff --git a/README.md b/README.md
@@ -82,7 +82,7 @@ You can also define each configuration option individually.
 HOST: "0.0.0.0"
 PORT: "4040"
 MOUNT_PATH: "/"
-PARSE_DASHBOARD_ALLOW_INSECURE_HTTP: undefined // Or "1" to allow http
+PARSE_DASHBOARD_TRUST_PROXY: undefined // Or "1" to trust connection info from a proxy's X-Forwarded-* headers
 PARSE_DASHBOARD_SERVER_URL: "http://localhost:1337/parse"
 PARSE_DASHBOARD_MASTER_KEY: "myMasterKey"
 PARSE_DASHBOARD_APP_ID: "myAppId"
@@ -213,12 +213,9 @@ Make sure the server URLs for your apps can be accessed by your browser. If you
 ## Security Considerations
 In order to securely deploy the dashboard without leaking your apps master key, you will need to use HTTPS and Basic Authentication.
 
-The deployed dashboard detects if you are using a secure connection. If you are deploying the dashboard behind a load balancer or proxy that does early SSL termination, then the app won't be able to detect that the connection is secure. In this case, you can start the dashboard with the `--allowInsecureHTTP=1` option. You will then be responsible for ensureing that your proxy or load balancer only allows HTTPS.
-
-Alternatively, if you are behind a front-facing proxy and want to rely on the X-Forwarded-* headers for the client's connection and IP address, you can start the dashboard with the  `--trustProxy=1` option (or set the PARSE_DASHBOARD_TRUST_PROXY config var to 1).  This is useful for hosting on services like Heroku, where you can trust the provided proxy headers.  For Heroku in particular, setting this option allows the dashboard to correctly determine whether you're using HTTP or HTTPS.  You can also turn on this setting when using the dashboard as [express](https://github.com/expressjs/express) middleware:
+The deployed dashboard detects if you are using a secure connection. If you are deploying the dashboard behind a load balancer or front-facing proxy, then the app won't be able to detect that the connection is secure. In this case, you can start the dashboard with the `--trustProxy=1` option (or set the PARSE_DASHBOARD_TRUST_PROXY config var to 1) to rely on the X-Forwarded-* headers for the client's connection security.  This is useful for hosting on services like Heroku, where you can trust the provided proxy headers to correctly determine whether you're using HTTP or HTTPS.  You can also turn on this setting when using the dashboard as [express](https://github.com/expressjs/express) middleware:
 
 ```
-var insecureHTTP = false;
 var trustProxy = true;
 var dashboard = new ParseDashboard({
   "apps": [
@@ -228,8 +225,9 @@ var dashboard = new ParseDashboard({
       "masterKey": "myMasterKey",
       "appName": "MyApp"
     }
-  ]
-}, insecureHTTP, trustProxy);
+  ],
+  "trustProxy": 1
+});
 ```