o=e.compareDocumentPosition(t)&Node.DOCUMENT_POSITION_FOLLOWING,n=o?e:t,i=o?t:e,r=document.createRange();r.setStart(n,0),r.setEnd(i,0);var l=r.commonAncestorContainer;if(e!==l&&t!==l||n.contains(i))return s(l)?l:p(l);var f=d(e);return f.host?a(f.host,t):a(e,d(t).host)}function l(e){var t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:'top',o='top'===t?'scrollTop':'scrollLeft',n=e.nodeName;if('BODY'===n||'HTML'===n){var i=e.ownerDocument.documentElement,r=e.ownerDocument.scrollingElement||i;return...

	"github.com/minio/pkg/v3/env"
)

var (
	// De-facto standard header keys.
	xForwardedFor    = http.CanonicalHeaderKey("X-Forwarded-For")
	xForwardedHost   = http.CanonicalHeaderKey("X-Forwarded-Host")
	xForwardedPort   = http.CanonicalHeaderKey("X-Forwarded-Port")
	xForwardedProto  = http.CanonicalHeaderKey("X-Forwarded-Proto")
	xForwardedScheme = http.CanonicalHeaderKey("X-Forwarded-Scheme")

假設你打造了一個在本機執行 AI 代理（AI agent）的方法。

它提供一個 API：

```
http://localhost:8000/v1/agents/multivac
```

同時也有一個前端：

```
http://localhost:8000
```

/// tip | 提示

請注意兩者的主機（host）相同。

///

接著你可以透過前端讓 AI 代理代你執行動作。

由於它在本機執行、而非公開的網際網路上，你決定不設定任何身分驗證，只信任對本機網路的存取。

然後你的某位使用者可能安裝並在本機執行它。

接著他可能打開一個惡意網站，例如：

```
https://evilhackers.example.com
```

强制所有传入请求必须是 `https` 或 `wss`。

任何传向 `http` 或 `ws` 的请求都会被重定向至安全方案。

{* ../../docs_src/advanced_middleware/tutorial001_py310.py hl[2,6] *}

## `TrustedHostMiddleware` { #trustedhostmiddleware }

强制所有传入请求都必须正确设置 `Host` 请求头，以防 HTTP 主机头攻击。

{* ../../docs_src/advanced_middleware/tutorial002_py310.py hl[2,6:8] *}

支持以下参数：

* `allowed_hosts` - 允许的域名（主机名）列表。`*.example.com` 等通配符域名可以匹配子域名。若要允许任意主机名，可使用 `allowed_hosts=["*"]` 或省略此中间件。

    if (url.isHttps) {
      useSslSocketFactory = sslSocketFactory
      useHostnameVerifier = hostnameVerifier
      useCertificatePinner = certificatePinner
    }

    return Address(
      uriHost = url.host,
      uriPort = url.port,
      dns = dns,
      socketFactory = socketFactory,
      sslSocketFactory = useSslSocketFactory,
      hostnameVerifier = useHostnameVerifier,

OkHttp may add headers that are absent from the original request, including `Content-Length`, `Transfer-Encoding`, `User-Agent`, `Host`, `Connection`, and `Content-Type`. It will add an `Accept-Encoding` header for transparent response compression unless the header is already present. If you’ve got cookies, OkHttp will add a `Cookie` header with them.

			req := httptest.NewRequest("GET", "/objectlambda/"+bucketName+"/"+objectName+"?lambdaArn="+url.QueryEscape(lambdaARN), bytes.NewReader(body))
			req.Form = url.Values{"lambdaArn": []string{lambdaARN}}
			req.Header.Set("Host", "localhost")
			req.Header.Set("X-Amz-Date", time.Now().UTC().Format("20060102T150405Z"))
			sum := sha256.Sum256(body)
			req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(sum[:]))

* [X-Forwarded-Proto](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Proto)
* [X-Forwarded-Host](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-Host)

///

Тем не менее, так как **сервер приложения** не знает, что он находится за доверенным **прокси**, по умолчанию он не будет доверять этим заголовкам.

        assertEquals("apple, banana, pear", o2);
    }

    @Test
    public void testSubstitution() throws IOException {
        String str = "port = 4141" + LINE_SEPARATOR + "host = localhost"
                + LINE_SEPARATOR + "url = https://${host}:${port}/service"
                + LINE_SEPARATOR;
        MavenProperties properties = new MavenProperties();
        properties.load(new StringReader(str));

	stat := make(map[string]madmin.ItemState, len(c.endpoints))
	resp, err := c.client.Version(ctx, &kms.VersionRequest{})

	for _, r := range resp {
		stat[r.Host] = madmin.ItemOnline
	}
	for _, e := range kms.UnwrapHostErrors(err) {
		stat[e.Host] = madmin.ItemOffline
	}
	return stat, nil
}

func (c *kmsConn) ListKeys(ctx context.Context, req *ListRequest) ([]madmin.KMSKeyInfo, string, error) {