@@ -7,66 +7,48 @@ an AWS Elastic Load Balancer) or a reverse proxy (e.g. Varnish for
77
88For the most part, this doesn't cause any problems with Symfony. But, when
99a request passes through a proxy, certain request information is sent using
10- either the standard ``Forwarded `` header or non-standard special ``X-Forwarded-* ``
11- headers. For example, instead of reading the ``REMOTE_ADDR `` header (which
12- will now be the IP address of your reverse proxy), the user's true IP will be
13- stored in a standard ``Forwarded: for="..." `` header or a non standard
14- ``X-Forwarded-For `` header.
10+ either the standard ``Forwarded `` header or ``X-Forwarded-* `` headers. For example,
11+ instead of reading the ``REMOTE_ADDR `` header (which will now be the IP address of
12+ your reverse proxy), the user's true IP will be stored in a standard ``Forwarded: for="..." ``
13+ header or a ``X-Forwarded-For `` header.
1514
1615If you don't configure Symfony to look for these headers, you'll get incorrect
1716information about the client's IP address, whether or not the client is connecting
1817via HTTPS, the client's port and the hostname being requested.
1918
20- Solution: trusted_proxies
21- -------------------------
19+ .. _request-set-trusted-proxies :
2220
23- This is no problem, but you * do * need to tell Symfony what is happening
24- and which reverse proxy IP addresses will be doing this type of thing:
21+ Solution: setTrustedProxies()
22+ -----------------------------
2523
26- ..configuration-block ::
24+ To fix this, you need to tell Symfony which reverse proxy IP addresses to trust
25+ and what headers your reverse proxy uses to send information:
2726
28- code-block ::yaml
27+ ..code-block ::php
2928
30- # app/config/config.yml
31- # ...
32- framework :
33- trusted_proxies :[192.0.0.1, 10.0.0.0/8]
29+ // web/app.php
3430
35- code-block ::xml
31+ // ...
32+ $request = Request::createFromGlobals();
3633
37- <!-- app/config/config.xml-->
38- <?xml version =" 1.0" encoding =" UTF-8"
39- <container xmlns =" http://symfony.com/schema/dic/services"
40- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
41- xmlns : framework =" http://symfony.com/schema/dic/symfony"
42- xsi : schemaLocation =" http://symfony.com/schema/dic/services
43- http://symfony.com/schema/dic/services/services-1.0.xsd
44- http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
34+ // tell Symfony about your reverse proxy
35+ Request::setTrustedProxies(
36+ // the IP address (or range) of your proxy
37+ ['192.0.0.1', '10.0.0.0/8'],
4538
46- <framework : config trusted-proxies =" 192.0.0.1, 10.0.0.0/8"
47- <!-- ...-->
48- </framework : config >
49- </container >
39+ // trust *all* "X-Forwarded-*" headers
40+ Request::HEADER_X_FORWARDED_ALL
5041
51- code-block ::php
42+ // or, if your proxy instead uses the "Forwarded" header
43+ // Request::HEADER_FORWARDED
5244
53- // app/config/config.php
54- $container->loadFromExtension('framework', array(
55- 'trusted_proxies' => array('192.0.0.1', '10.0.0.0/8'),
56- ));
45+ // or, if you're using AWS ELB
46+ // Request::HEADER_X_FORWARDED_AWS_ELB
47+ );
5748
58-
59- the IP address ``192.0.0.1 `` or matches the range of IP addresses that use
60- the CIDR notation ``10.0.0.0/8 ``. For more details, see the
61- :ref: `framework.trusted_proxies <reference-framework-trusted-proxies >` option.
62-
63- You are also saying that you trust that the proxy does not send conflicting
64- headers, e.g. sending both ``X-Forwarded-For `` and ``Forwarded `` in the same
65- request.
66-
67- That's it! Symfony will now look for the correct headers to get information
68- like the client's IP address, host, port and whether the request is
69- using HTTPS.
49+ Request::HEADER_* `` constants that control exactly
50+ *which * headers from your reverse proxy are trusted. The argument is a bit field,
51+ so you can also pass your own value (e.g. ``0b00110 ``).
7052
7153But what if the IP of my Reverse Proxy Changes Constantly!
7254----------------------------------------------------------
@@ -79,60 +61,24 @@ In this case, you'll need to - *very carefully* - trust *all* proxies.
7961 other than your load balancers. For AWS, this can be done with `security groups `_.
8062
8163#. Once you've guaranteed that traffic will only come from your trusted reverse
82- proxies, configure Symfony to *always * trust incoming request. This is
83- done inside of your front controller:
64+ proxies, configure Symfony to *always * trust incoming request:
8465
8566 ..code-block ::diff
8667
8768
8869
8970 // ...
90- $request = Request::createFromGlobals();
91- + Request::setTrustedProxies(array('127.0.0.1', $request->server->get('REMOTE_ADDR')));
92-
93- // ...
71+ Request::setTrustedProxies(
72+ // trust *all * requests
73+ array('127.0.0.1', $request->server->get('REMOTE_ADDR')),
9474
95- #. Ensure that the trusted_proxies setting in your ``app/config/config.yml ``
96- is not set or it will overwrite the ``setTrustedProxies() `` call above.
75+ // if you're using ELB, otherwise use a constant from above
76+ Request::HEADER_X_FORWARDED_AWS_ELB
77+ );
9778
9879That's it! It's critical that you prevent traffic from all non-trusted sources.
9980If you allow outside traffic, they could "spoof" their true IP address and
10081other information.
10182
102- .. _request-untrust-header :
103-
104- My Reverse Proxy Sends X-Forwarded-For but Does not Filter the Forwarded Header
105- -------------------------------------------------------------------------------
106-
107- Many popular proxy implementations do not yet support the ``Forwarded `` header
108- and do not filter it by default. Ideally, you would configure this in your
109- proxy. If this is not possible, you can tell Symfony to distrust the ``Forwarded ``
110- header, while still trusting your proxy's ``X-Forwarded-For `` header.
111-
112- This is done inside of your front controller::
113-
114- // web/app.php
115-
116- // ...
117- Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);
118-
119- $response = $kernel->handle($request);
120- // ...
121-
122- Configuring the proxy server trust is very important, as not doing so will
123- allow malicious users to "spoof" their IP address.
124-
125- My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers
126- ------------------------------------------------------------
127-
128- Although `RFC 7239 `_ recently defined a standard ``Forwarded `` header to disclose
129- all proxy information, most reverse proxies store information in non-standard
130- ``X-Forwarded-* `` headers.
131-
132- But if your reverse proxy uses other non-standard header names, you can configure
133- these (see ":doc: `/components/http_foundation/trusting_proxies `").
134-
135- The code for doing this will need to live in your front controller (e.g. ``web/app.php ``).
136-
13783.. _`security groups` :http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
13884.. _`RFC 7239` :http://tools.ietf.org/html/rfc7239