Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[framework-bundle] Added support for the0.0.0.0/0 trusted proxy#15706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed

Conversation

@zerkms
Copy link
Contributor

QA
Bug fix?yes
New feature?no
BC breaks?no
Deprecations?no
Tests pass?yes
LicenseMIT

It is relevant to my other PR:#14690

The original intention was to start accepting0.0.0.0/0 as a trusted proxy (which is a valid CIDR notation).

The prupose is to allow all requests to be treated as trusted and to eliminate using dirty['0.0.0.0/1', '128.0.0.0/1'] workaround.

@zerkmszerkms changed the titleAdded support for the0.0.0.0/0 trusted proxy[framework-bundle] Added support for the0.0.0.0/0 trusted proxySep 7, 2015
@zerkms
Copy link
ContributorAuthor

Guys, anyone?

@zerkms
Copy link
ContributorAuthor

A traditional monthly reminder: guys, could someone please put some attention here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I would move this above the earlierif (no need to do thestrpos() check first.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@xabbuh that's a fair point.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@xabbuh from the other hand, the'0.0.0.0/0' scenario is less likely to happen. So how about promoting the more-likely-to-happen scenario over the other?

If we move this check before theif (false !== strpos($v, '/')) { then we would have 2 checks for almost every symfony user, instead of just 1 as it is now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

That's probably true, but as theConfiguration class won't be checked at runtime it doesn't really matter.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@xabbuh oh, right. Completely missed that point. It does not make much difference then. Let's see if there are more concerns here from someone else.

@xabbuh
Copy link
Member

looks good to me

@fabpot
Copy link
Member

Out of curiosity, why would you want to do that? Is it only for development purpose?

@zerkms
Copy link
ContributorAuthor

@fabpot it's for production:

I have the following configuration:

  1. haproxy terminates https and accepts incoming connections. It puts the original IP address to the X-Forwarded-For and sets x-forwarded-proto to https. So at this point in the remote address - the ip of haproxy, and the client's ip is in the header.
  2. nginx configured withngx_http_realip_module replaces the remote adress with what we have X-Forwarded-For. This simplifies configuration - we can use white/black-lists using the remote ip address and we can use the standard log formats, etc.

So far so good. But as you remember the application is served via HTTPS while symfony runs behind nginx http. Thankfully the x-forwarded-proto is there but for symfony to respect it the remote ip address must be trusted.

What we have: all the requests to nginx come from a trusted proxy (everything is passed through haproxy) but the remote ip address is replaced with ngx_http_realip_module.

Which means that for everything to work as we expected - we need to tell symfony to trust all ip's, hence to0.0.0.0/0.

So in my implementation it's nginx that need to know who to trust to, and symfony just need to trust anyone, since everything was already constrained by haproxy and nginx.

@fabpot
Copy link
Member

Thank you@zerkms.

fabpot added a commit that referenced this pull requestJan 25, 2016
…ed proxy (zerkms)This PR was submitted for the 2.8 branch but it was merged into the 2.3 branch instead (closes#15706).Discussion----------[framework-bundle] Added support for the `0.0.0.0/0` trusted proxy| Q             | A| ------------- | ---| Bug fix?      | yes| New feature?  | no| BC breaks?    | no| Deprecations? | no| Tests pass?   | yes| License       | MITIt is relevant to my other PR:#14690The original intention was to start accepting `0.0.0.0/0` as a trusted proxy (which is a valid CIDR notation).The prupose is to allow all requests to be treated as trusted and to eliminate using dirty `['0.0.0.0/1', '128.0.0.0/1']` workaround.Commits-------3188e1b Added support for the `0.0.0.0/0` trusted proxy
@fabpotfabpot closed thisJan 25, 2016
@fabpotfabpot mentioned this pull requestFeb 3, 2016
@dzuelke
Copy link
Contributor

Can this be backported to 2.8 please,@fabpot ?

@zerkmszerkms deleted the TRUSTED_PROXIES_ZERO_MASK branchFebruary 4, 2016 20:18
@jakzal
Copy link
Contributor

@dzuelke this fix was merged into 2.3, and is already present in the 2.8 branch.

@dzuelke
Copy link
Contributor

Thanks@jakzal

This was referencedFeb 28, 2016
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@zerkms@xabbuh@fabpot@dzuelke@jakzal@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp