minor #18157 Suggest settings trusted proxies via env var for more traditional infrastructure (pyrech)

OskarStark · OskarStark · commit 1436b8b2b81c · 2023-04-26T10:47:15.000+02:00
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- Suggest settings trusted proxies via env var for more traditional infrastructure Looking at the first .env suggestion from the article could be dangerous if one does not see it's from the chapter explaining how to trust all proxies. Commits ------- d7adb14 Suggest settings trusted proxies via env var for more traditional infrastructure
diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -88,6 +88,22 @@ and what headers your reverse proxy uses to send information:
     to trust all "X-Forwarded-" headers, but that constant is deprecated since
     Symfony 5.2 in favor of the individual ``HEADER_X_FORWARDED_*`` constants.
 
+.. tip::
+
+    You can set a ``TRUSTED_PROXIES`` env var to configure proxies on a per-environment basis:
+
+    .. code-block:: bash
+
+        # .env
+        TRUSTED_PROXIES=127.0.0.1,10.0.0.0/8
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            # ...
+            trusted_proxies: '%env(TRUSTED_PROXIES)%'
+
 .. caution::
 
     Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
@@ -136,23 +152,6 @@ That's it! It's critical that you prevent traffic from all non-trusted sources.
 If you allow outside traffic, they could "spoof" their true IP address and
 other information.
 
-.. tip::
-
-    In applications using :ref:`Symfony Flex <symfony-flex>` you can set the
-    ``TRUSTED_PROXIES`` env var:
-
-    .. code-block:: bash
-
-        # .env
-        TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
-
-    .. code-block:: yaml
-
-        # config/packages/framework.yaml
-        framework:
-            # ...
-            trusted_proxies: '%env(TRUSTED_PROXIES)%'
-
 If you are also using a reverse proxy on top of your load balancer (e.g.
 `CloudFront`_), calling ``$request->server->get('REMOTE_ADDR')`` won't be
 enough, as it will only trust the node sitting directly above your application
