@@ -82,6 +82,12 @@ and what headers your reverse proxy uses to send information:
8282 ;
8383 };
8484
85+ deprecated :: 5.2
86+
87+ In previous Symfony versions, the above example used ``HEADER_X_FORWARDED_ALL ``
88+ to trust all "X-Forwarded-" headers, but that constant is deprecated since
89+ Symfony 5.2 in favor of the individual ``HEADER_X_FORWARDED_* `` constants.
90+
8591.. caution ::
8692
8793 Enabling the ``Request::HEADER_X_FORWARDED_HOST `` option exposes the
@@ -92,6 +98,22 @@ The Request object has several ``Request::HEADER_*`` constants that control exac
9298*which * headers from your reverse proxy are trusted. The argument is a bit field,
9399so you can also pass your own value (e.g. ``0b00110 ``).
94100
101+ .. tip ::
102+
103+ You can set a ``TRUSTED_PROXIES `` env var to configure proxies on a per-environment basis:
104+
105+ .. code-block :: bash
106+
107+ # .env
108+ TRUSTED_PROXIES=127.0.0.1,10.0.0.0/8
109+
110+ code-block :: yaml
111+
112+ # config/packages/framework.yaml
113+ framework :
114+ # ...
115+ trusted_proxies : ' %env(TRUSTED_PROXIES)%'
116+
95117caution ::
96118
97119 The "trusted proxies" feature does not work as expected when using the
@@ -123,23 +145,6 @@ That's it! It's critical that you prevent traffic from all non-trusted sources.
123145If you allow outside traffic, they could "spoof" their true IP address and
124146other information.
125147
126- .. tip ::
127-
128- In applications using :ref: `Symfony Flex <symfony-flex >` you can set the
129- ``TRUSTED_PROXIES `` env var:
130-
131- .. code-block :: bash
132-
133- # .env
134- TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
135-
136- code-block :: yaml
137-
138- # config/packages/framework.yaml
139- framework :
140- # ...
141- trusted_proxies : ' %env(TRUSTED_PROXIES)%'
142-
143148If you are also using a reverse proxy on top of your load balancer (e.g.
144149`CloudFront `_), calling ``$request->server->get('REMOTE_ADDR') `` won't be
145150enough, as it will only trust the node sitting directly above your application
0 commit comments