8000 Documented how to configure Symfony correctly with regards to the For… · symfony/symfony-docs@87ab598 · GitHub
[go: up one dir, main page]
Skip to content

Commit 87ab598

Browse files
magnusnordlanderxabbuh
magnusnordlander
authored and
xabbuh
committed
Documented how to configure Symfony correctly with regards to the Forwarded header
1 parent 84a1afd commit 87ab598

File tree

3 files changed

+57
-7
lines changed

3 files changed

+57
-7
lines changed

components/http_foundation/trusting_proxies.rst

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@ Trusting Proxies
1111

1212
If you find yourself behind some sort of proxy - like a load balancer - then
1313
certain header information may be sent to you using special ``X-Forwarded-*``
14-
headers. For example, the ``Host`` HTTP header is usually used to return
15-
the requested host. But when you're behind a proxy, the true host may be
16-
stored in a ``X-Forwarded-Host`` header.
14+
headers or the ``Forwarded`` header. For example, the ``Host`` HTTP header is
15+
usually used to return the requested host. But when you're behind a proxy,
16+
the actual host may be stored in a ``X-Forwarded-Host`` header.
1717

1818
Since HTTP headers can be spoofed, Symfony does *not* trust these proxy
1919
headers by default. If you are behind a proxy, you should manually whitelist
@@ -30,11 +30,19 @@ your proxy.
3030
// only trust proxy headers coming from this IP addresses
3131
Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8'));
3232
33+
You should also make sure that your proxy filters unauthorized use of these
34+
headers, e.g. if a proxy natively uses the ``X-Forwarded-For`` header, it
35+
should not allow clients to send ``Forwarded`` headers to Symfony.
36+
37+
If your proxy does not filter headers appropriately, you need to configure
38+
Symfony not to trust the headers your proxy does not filter (see below).
39+
3340
Configuring Header Names
3441
------------------------
3542

3643
By default, the following proxy headers are trusted:
3744

45+
* ``Forwarded`` Used in :method:`Symfony\\Component\\HttpFoundation\\Request::getClientIp`;
3846
* ``X-Forwarded-For`` Used in :method:`Symfony\\Component\\HttpFoundation\\Request::getClientIp`;
3947
* ``X-Forwarded-Host`` Used in :method:`Symfony\\Component\\HttpFoundation\\Request::getHost`;
4048
* ``X-Forwarded-Port`` Used in :method:`Symfony\\Component\\HttpFoundation\\Request::getPort`;
@@ -43,6 +51,7 @@ By default, the following proxy headers are trusted:
4351
If your reverse proxy uses a different header name for any of these, you
4452
can configure that header name via :method:`Symfony\\Component\\HttpFoundation\\Request::setTrustedHeaderName`::
4553

54+
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'X-Forwarded');
4655
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
4756
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
4857
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
@@ -51,9 +60,9 @@ can configure that header name via :method:`Symfony\\Component\\HttpFoundation\\
5160
Not Trusting certain Headers
5261
----------------------------
5362

54-
By default, if you whitelist your proxy's IP address, then all four headers
63+
By default, if you whitelist your proxy's IP address, then all five headers
5564
listed above are trusted. If you need to trust some of these headers but
5665
not others, you can do that as well::
5766

58-
// disables trusting the ``X-Forwarded-Proto`` header, the default header is used
59-
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, '');
67+
// disables trusting the ``Forwarded`` header
68+
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);

cookbook/cache/varnish.rst

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,21 @@ Remember to configure :ref:`framework.trusted_proxies <reference-framework-trust
2424
in the Symfony configuration so that Varnish is seen as a trusted proxy and the
2525
:ref:`X-Forwarded <varnish-x-forwarded-headers>` headers are used.
2626

27+
Varnish, in its default configuration, sends the ``X-Forwarded-For`` header but
28+
does not filter out the ``Forwarded`` header. If you have access to the Varnish
29+
configuration file, you can configure Varnish to remove the ``Forwarded``
30+
header:
31+
32+
.. code-block:: varnish4
33+
34+
sub vcl_recv {
35+
remove req.http.Forwarded;
36+
}
37+
38+
If you do not have access to your Varnish configuration, you can instead
39+
configure Symfony to distrust the ``Forwarded`` header as detailed in
40+
:ref:`the cookbook <cookbook-request-untrust-header>`.
41+
2742
.. _varnish-x-forwarded-headers:
2843

2944
Routing and X-FORWARDED Headers

cookbook/request/load_balancer_reverse_proxy.rst

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ via HTTPS, the client's port and the hostname being requested.
2323
Solution: trusted_proxies
2424
-------------------------
2525

26-
This is no problem, but you *do* need to tell Symfony that this is happening
26+
This is no problem, but you *do* need to tell Symfony what is happening
2727
and which reverse proxy IP addresses will be doing this type of thing:
2828

2929
.. configuration-block::
@@ -62,6 +62,9 @@ the IP address ``192.0.0.1`` or matches the range of IP addresses that use
6262
the CIDR notation ``10.0.0.0/8``. For more details, see the
6363
:ref:`framework.trusted_proxies <reference-framework-trusted-proxies>` option.
6464

65+
You are also saying that you trust that the proxy does not send conflicting
66+
headers, e.g. sending both X-Forwarded-For and Forwarded in the same request.
67+
6568
That's it! Symfony will now look for the correct headers to get information
6669
like the client's IP address, host, port and whether the request is
6770
using HTTPS.
@@ -95,6 +98,29 @@ That's it! It's critical that you prevent traffic from all non-trusted sources.
9598
If you allow outside traffic, they could "spoof" their true IP address and
9699
other information.
97100

101+
.. _cookbook-request-untrust-header:
102+
103+
My Reverse Proxy Sends X-Forwarded-For but does not Filter the Forwarded Header
104+
-------------------------------------------------------------------------------
105+
106+
Many popular proxy implementations do not yet support the Forwarded header and
107+
do not filter it by default. Ideally, you would configure this
108+
in your proxy. If this is not possible, you can tell Symfony to distrust
109+
the Forwarded header, while still trusting your proxy's X-Forwarded-For header.
110+
111+
This is done inside of your front controller::
112+
113+
// web/app.php
114+
115+
// ...
116+
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);
117+
118+
$response = $kernel->handle($request);
119+
// ...
120+
121+
Configuring the proxy server trust is very important, as not doing so will
122+
malicious users to "spoof" their IP address.
123+
98124
My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers
99125
------------------------------------------------------------
100126

0 commit comments

Comments
 (0)
0