Trusted proxy examples need safer defaults #7045

dzuelke · 2016-10-06T19:05:29Z

http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html and http://symfony.com/doc/current/components/http_foundation/trusting_proxies.html talk about trusting proxies, and http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly in particular mentions AWS as an example.

AWS ELBs do not set a Forwarded header, making it necessary to follow the instructions at http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html#my-reverse-proxy-sends-x-forwarded-for-but-does-not-filter-the-forwarded-header, but they also do not set an X-Forwarded-Host (only …-For, …-Port and …-Proto), which means, that for a very popular use case (running on AWS, or products that build on it, e.g. Heroku), applications would be vulnerable to spoofing of those headers.

My suggestion would be to

explicitly mention for the AWS case that both Forwarded and X-Forwarded-Host must be distrusted, or better yet
explicitly list known safe combinations for popular IaaS/PaaS systems and then
instruct users to carefully double-check what headers their platform in question supports, and distrust any that it does not.

The text was updated successfully, but these errors were encountered:

dzuelke · 2016-10-13T23:34:36Z

"Cache" is the wrong label @xabbuh :)

xabbuh · 2016-10-21T06:41:01Z

Oops, thanks for the heads up @dzuelke :)

weaverryan · 2017-04-04T00:42:30Z

See symfony/symfony#21830 and symfony/symfony#22238

I haven't digested the changes yet, but I'm updating this milestone to 3.3 because that's where the changes were made and I want to make sure we've got it right for that release :)

nicolas-grekas · 2017-05-25T07:54:45Z

See symfony/symfony#22904

…LB const (nicolas-grekas) This PR was merged into the 3.3 branch. Discussion ---------- [HttpFoundation] Add Request::HEADER_X_FORWARDED_AWS_ELB const | Q | A | ------------- | --- | Branch? | 3.3 | Bug fix? | yes (a missing part of a 3.3 feat.) | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - See symfony/symfony-docs#7045 Commits ------- 9ba12b0 [HttpFoundation] Add Request::HEADER_X_FORWARDED_AWS_ELB const

HeahDude · 2017-07-25T17:51:25Z

Can we close here?

javiereguiluz · 2019-01-21T14:29:18Z

Closing as probably fixed by the mentioned pull requests. Thanks!

dzuelke mentioned this issue Oct 6, 2016

Request should not trust any header names by default symfony/symfony#20178

Closed

xabbuh added the Cache label Oct 11, 2016

xabbuh added HttpFoundation and removed Cache labels Oct 14, 2016

dzuelke mentioned this issue Mar 30, 2017

[HttpFoundation] Add $trustedHeaderSet arg to Request::setTrustedProxies() - deprecate not setting it symfony/symfony#21830

Merged

dzuelke changed the title ~~Trusted proxy examples need safer examples~~ Trusted proxy examples need safer defaults Mar 31, 2017

weaverryan added the Missing Documentation label Apr 4, 2017

weaverryan added this to the 3.3 milestone Apr 4, 2017

nicolas-grekas mentioned this issue May 25, 2017

[HttpFoundation] Add Request::HEADER_X_FORWARDED_AWS_ELB const symfony/symfony#22904

Merged

nicolas-grekas mentioned this issue May 25, 2017

Remove deprecated trusted_proxies config option #7868

Closed

javiereguiluz closed this as completed Jan 21, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trusted proxy examples need safer defaults #7045

Trusted proxy examples need safer defaults #7045

Trusted proxy examples need safer defaults #7045

Trusted proxy examples need safer defaults #7045

Comments