@@ -25,7 +25,7 @@ access control should be used on this request. The following ``access_control``
2525options are used for matching:
2626
2727* ``path ``: a regular expression (without delimiters)
28- * ``ip `` or ``ips ``: netmasks are also supported
28+ * ``ip `` or ``ips ``: netmasks are also supported (can be a comma-separated string)
2929* ``port ``: an integer
3030* ``host ``: a regular expression
3131* ``methods ``: one or many methods
@@ -37,6 +37,9 @@ Take the following ``access_control`` entries as an example:
3737 .. code-block :: yaml
3838
3939 # config/packages/security.yaml
40+ parameters :
41+ env(TRUSTED_IPS) : ' 10.0.0.1, 10.0.0.2'
42+
4043 security :
4144 # ...
4245 access_control :
@@ -45,6 +48,10 @@ Take the following ``access_control`` entries as an example:
4548 - { path: '^/admin', roles: ROLE_USER_HOST, host: symfony\.com$ }
4649 - { path: '^/admin', roles: ROLE_USER_METHOD, methods: [POST, PUT] }
4750
51+ # ips can be comma-separated, which is especially useful when using env variables
52+ - { path: '^/admin', roles: ROLE_USER_IP, ips: '%env(TRUSTED_IPS)%' }
53+ - { path: '^/admin', roles: ROLE_USER_IP, ips: [127.0.0.1, ::1, '%env(TRUSTED_IPS)%'] }
54+
4855code-block :: xml
4956
5057 <!-- config/packages/security.xml -->
@@ -57,18 +64,31 @@ Take the following ``access_control`` entries as an example:
5764 http://symfony.com/schema/dic/security
5865 https://symfony.com/schema/dic/security/security-1.0.xsd" >
5966
67+ <srv : parameters >
68+ <srv : parameter key =" env(TRUSTED_IPS)" parameter >
69+ </srv : parameters >
70+
6071 <config >
6172 <!-- ... -->
6273 <rule path =" ^/admin" role =" ROLE_USER_IP" ip =" 127.0.0.1"
6374 <rule path =" ^/admin" role =" ROLE_USER_PORT" ip =" 127.0.0.1" port =" 8080"
6475 <rule path =" ^/admin" role =" ROLE_USER_HOST" host =" symfony\.com$"
6576 <rule path =" ^/admin" role =" ROLE_USER_METHOD" methods =" POST, PUT"
77+
78+ <!-- ips can be comma-separated, which is especially useful when using env variables -->
79+ <rule path =" ^/admin" role =" ROLE_USER_IP" ip =" %env(TRUSTED_IPS)%"
80+ <rule path =" ^/admin" role =" ROLE_USER_IP"
81+ <ip >127.0.0.1</ip >
82+ <ip >::1</ip >
83+ <ip >%env(TRUSTED_IPS)%</ip >
84+ </rule >
6685 </config >
6786 </srv : container >
6887
6988code-block :: php
7089
7190 // config/packages/security.php
91+ $container->setParameter('env(TRUSTED_IPS)', '10.0.0.1, 10.0.0.2');
7292 $container->loadFromExtension('security', [
7393 // ...
7494 'access_control' => [
@@ -92,10 +112,30 @@ Take the following ``access_control`` entries as an example:
92112 'path' => '^/admin',
93113 'roles' => 'ROLE_USER_METHOD',
94114 'methods' => 'POST, PUT',
95- ]
115+ ],
116+
117+ // ips can be comma-separated, which is especially useful when using env variables
118+ [
119+ 'path' => '^/admin',
120+ 'roles' => 'ROLE_USER_IP',
121+ 'ips' => '%env(TRUSTED_IPS)%',
122+ ],
123+ [
124+ 'path' => '^/admin',
125+ 'roles' => 'ROLE_USER_IP',
126+ 'ips' => [
127+ '127.0.0.1',
128+ '::1',
129+ '%env(TRUSTED_IPS)%',
130+ ],
131+ ],
96132 ],
97133 ]);
98134
135+ versionadded :: 5.2
136+
137+ Support for comma-separated IP addresses was introduced in Symfony 5.2.
138+
99139For each incoming request, Symfony will decide which ``access_control ``
100140to use based on the URI, the client's IP address, the incoming host name,
101141and the request method. Remember, the first rule that matches is used, and
@@ -133,73 +173,6 @@ if ``ip``, ``port``, ``host`` or ``method`` are not specified for an entry, that
133173 :ref: `Deny access in PHP code <security-securing-controller >` if you want
134174 to disallow access based on ``$_GET `` parameter values.
135175
136- .. versionadded :: 5.2
137-
138- Environment variables can be used to pass comma separated ip addresses
139- (as a single value or as one of array values):
140-
141- .. configuration-block ::
142-
143- .. code-block :: yaml
144-
145- # config/packages/security.yaml
146- parameters :
147- env(TRUSTED_IPS) : ' 10.0.0.1, 10.0.0.2'
148- security :
149- # ...
150- access_control :
151- - { path: '^/admin', ips: '%env(TRUSTED_IPS)%' }
152- - { path: '^/admin', ips: [127.0.0.1, ::1, '%env(TRUSTED_IPS)%'] }
153-
154- code-block :: xml
155-
156- <!-- config/packages/security.xml -->
157- <?xml version =" 1.0" encoding =" UTF-8"
158- <srv : container xmlns =" http://symfony.com/schema/dic/security"
159- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
160- xmlns : srv =" http://symfony.com/schema/dic/services"
161- xsi : schemaLocation =" http://symfony.com/schema/dic/services
162- https://symfony.com/schema/dic/services/services-1.0.xsd
163- http://symfony.com/schema/dic/security
164- https://symfony.com/schema/dic/security/security-1.0.xsd" >
165-
166- <parameters >
167- <parameter key =" env(TRUSTED_IPS)" parameter >
168- </parameters >
169-
170- <config >
171- <!-- ... -->
172- <rule path =" ^/admin" ip =" %env(TRUSTED_IPS)%"
173- <rule path =" ^/admin"
174- <ip >127.0.0.1</ip >
175- <ip >::1</ip >
176- <ip >%env(TRUSTED_IPS)%</ip >
177- </rule >
178- </config >
179- </srv : container >
180-
181- code-block :: php
182-
183- // config/packages/security.php
184- $container->setParameter('env(TRUSTED_IPS)', '10.0.0.1, 10.0.0.2');
185- $container->loadFromExtension('security', [
186- // ...
187- 'access_control' => [
188- [
189- 'path' => '^/admin',
190- 'ips' => '%env(TRUSTED_IPS)%',
191- ],
192- [
193- 'path' => '^/admin',
194- 'ips' => [
195- '127.0.0.1',
196- '::1',
197- '%env(TRUSTED_IPS)%',
198- ],
199- ],
200- ],
201- ]);
202-
203176.. _security-access-control-enforcement-options :
204177
2051782. Access Enforcement
0 commit comments