From d452137e9c880c7fc06effca47730e4ba9932cb0 Mon Sep 17 00:00:00 2001 From: Tony Cosentino Date: Wed, 24 Sep 2014 21:44:45 +0200 Subject: [PATCH 1/4] Added support for standard Forwarded header Refs https://github.com/symfony/symfony/pull/11379 --- .../request/load_balancer_reverse_proxy.rst | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/cookbook/request/load_balancer_reverse_proxy.rst b/cookbook/request/load_balancer_reverse_proxy.rst index e23e0ac01c2..88979f87477 100644 --- a/cookbook/request/load_balancer_reverse_proxy.rst +++ b/cookbook/request/load_balancer_reverse_proxy.rst @@ -7,9 +7,14 @@ an AWS Elastic Load Balancer) or a reverse proxy (e.g. Varnish for For the most part, this doesn't cause any problems with Symfony. But, when a request passes through a proxy, certain request information is sent using -special ``X-Forwarded-*`` headers. For example, instead of reading the ``REMOTE_ADDR`` -header (which will now be the IP address of your reverse proxy), the user's -true IP will be stored in an ``X-Forwarded-For`` header. +either the standard ``Forwarded`` header or non standard special ``X-Forwarded-*`` +headers. For example, instead of reading the ``REMOTE_ADDR`` header (which +will now be the IP address of your reverse proxy), the user's true IP will be +stored in a standard ``Forwarded: for="..."`` header or a non standard +``X-Forwarded-For`` header. + +.. versionadded:: 2.7 + ``Forwarded`` header support was introduced in Symfony 2.7 If you don't configure Symfony to look for these headers, you'll get incorrect information about the client's IP address, whether or not the client is connecting @@ -57,9 +62,9 @@ the IP address ``192.0.0.1`` or matches the range of IP addresses that use the CIDR notation ``10.0.0.0/8``. For more details, see the :ref:`framework.trusted_proxies ` option. -That's it! Symfony will now look for the correct ``X-Forwarded-*`` headers -to get information like the client's IP address, host, port and whether or -not the request is using HTTPS. +That's it! Symfony will now look for the correct headers to get information +like the client's IP address, host, port and whether the request is +using HTTPS. But what if the IP of my Reverse Proxy Changes Constantly! ---------------------------------------------------------- @@ -90,9 +95,12 @@ other information. My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers ------------------------------------------------------------ -Most reverse proxies store information on specific ``X-Forwarded-*`` headers. -But if your reverse proxy uses non-standard header names, you can configure +Although `rfc7239`_ recently defined a standard ``Forwarded`` header to disclose +all proxy information, most reverse proxies store information on non standard +``X-Forwarded-*`` headers. +But if your reverse proxy uses other non-standard header names, you can configure these (see ":doc:`/components/http_foundation/trusting_proxies`"). The code for doing this will need to live in your front controller (e.g. ``web/app.php``). .. _`security groups`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/using-elb-security-groups.html +.. _`rfc7239`: http://tools.ietf.org/html/rfc7239 From ac3689b0ecd7f120bdf1cd0f0904a67ddfcf0461 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 11 Jun 2015 13:02:01 +0200 Subject: [PATCH 2/4] Added support for standard Forwarded header --- cookbook/request/load_balancer_reverse_proxy.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cookbook/request/load_balancer_reverse_proxy.rst b/cookbook/request/load_balancer_reverse_proxy.rst index 88979f87477..0ade3346af9 100644 --- a/cookbook/request/load_balancer_reverse_proxy.rst +++ b/cookbook/request/load_balancer_reverse_proxy.rst @@ -7,7 +7,7 @@ an AWS Elastic Load Balancer) or a reverse proxy (e.g. Varnish for For the most part, this doesn't cause any problems with Symfony. But, when a request passes through a proxy, certain request information is sent using -either the standard ``Forwarded`` header or non standard special ``X-Forwarded-*`` +either the standard ``Forwarded`` header or non-standard special ``X-Forwarded-*`` headers. For example, instead of reading the ``REMOTE_ADDR`` header (which will now be the IP address of your reverse proxy), the user's true IP will be stored in a standard ``Forwarded: for="..."`` header or a non standard @@ -95,12 +95,12 @@ other information. My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers ------------------------------------------------------------ -Although `rfc7239`_ recently defined a standard ``Forwarded`` header to disclose -all proxy information, most reverse proxies store information on non standard +Although `RFC 7239`_ recently defined a standard ``Forwarded`` header to disclose +all proxy information, most reverse proxies store information on non-standard ``X-Forwarded-*`` headers. But if your reverse proxy uses other non-standard header names, you can configure these (see ":doc:`/components/http_foundation/trusting_proxies`"). The code for doing this will need to live in your front controller (e.g. ``web/app.php``). .. _`security groups`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/using-elb-security-groups.html -.. _`rfc7239`: http://tools.ietf.org/html/rfc7239 +.. _`RFC 7239`: http://tools.ietf.org/html/rfc7239 From 319c081974198c055c1e352117484a8d78e0a50b Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Jun 2015 15:58:08 +0200 Subject: [PATCH 3/4] Fixed a minor grammar issue --- cookbook/request/load_balancer_reverse_proxy.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cookbook/request/load_balancer_reverse_proxy.rst b/cookbook/request/load_balancer_reverse_proxy.rst index 0ade3346af9..aa1104a7644 100644 --- a/cookbook/request/load_balancer_reverse_proxy.rst +++ b/cookbook/request/load_balancer_reverse_proxy.rst @@ -96,10 +96,12 @@ My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers ------------------------------------------------------------ Although `RFC 7239`_ recently defined a standard ``Forwarded`` header to disclose -all proxy information, most reverse proxies store information on non-standard +all proxy information, most reverse proxies store information in non-standard ``X-Forwarded-*`` headers. + But if your reverse proxy uses other non-standard header names, you can configure these (see ":doc:`/components/http_foundation/trusting_proxies`"). + The code for doing this will need to live in your front controller (e.g. ``web/app.php``). .. _`security groups`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/using-elb-security-groups.html From 8928049d4d23e7ef68fa9bdc02706cb67efeeb84 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Jun 2015 22:24:24 +0200 Subject: [PATCH 4/4] Fixed a minor grammar issue --- cookbook/request/load_balancer_reverse_proxy.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cookbook/request/load_balancer_reverse_proxy.rst b/cookbook/request/load_balancer_reverse_proxy.rst index aa1104a7644..f0c864d2a59 100644 --- a/cookbook/request/load_balancer_reverse_proxy.rst +++ b/cookbook/request/load_balancer_reverse_proxy.rst @@ -14,7 +14,7 @@ stored in a standard ``Forwarded: for="..."`` header or a non standard ``X-Forwarded-For`` header. .. versionadded:: 2.7 - ``Forwarded`` header support was introduced in Symfony 2.7 + ``Forwarded`` header support was introduced in Symfony 2.7. If you don't configure Symfony to look for these headers, you'll get incorrect information about the client's IP address, whether or not the client is connecting