Suggest Flex config for more traditional infrastructure

pyrech · web-flow · commit 392d0d9e21cc · 2023-04-02T11:51:22.000+02:00
diff --git a/deployment/proxies.rst b/deployment/proxies.rst
@@ -88,6 +88,23 @@ and what headers your reverse proxy uses to send information:
     to trust all "X-Forwarded-" headers, but that constant is deprecated since
     Symfony 5.2 in favor of the individual ``HEADER_X_FORWARDED_*`` constants.
 
+.. tip::
+
+    In applications using :ref:`Symfony Flex <symfony-flex>` you can set the
+    ``TRUSTED_PROXIES`` env var:
+
+    .. code-block:: bash
+
+        # .env
+        TRUSTED_PROXIES=127.0.0.1
+
+    .. code-block:: yaml
+
+        # config/packages/framework.yaml
+        framework:
+            # ...
+            trusted_proxies: '%env(TRUSTED_PROXIES)%'
+
 .. caution::
 
     Enabling the ``Request::HEADER_X_FORWARDED_HOST`` option exposes the
@@ -136,23 +153,6 @@ That's it! It's critical that you prevent traffic from all non-trusted sources.
 If you allow outside traffic, they could "spoof" their true IP address and
 other information.
 
-.. tip::
-
-    In applications using :ref:`Symfony Flex <symfony-flex>` you can set the
-    ``TRUSTED_PROXIES`` env var:
-
-    .. code-block:: bash
-
-        # .env
-        TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
-
-    .. code-block:: yaml
-
-        # config/packages/framework.yaml
-        framework:
-            # ...
-            trusted_proxies: '%env(TRUSTED_PROXIES)%'
-
 If you are also using a reverse proxy on top of your load balancer (e.g.
 `CloudFront`_), calling ``$request->server->get('REMOTE_ADDR')`` won't be
 enough, as it will only trust the node sitting directly above your application
