From 96634f50cd80760f744bcc9de869eddf59591a37 Mon Sep 17 00:00:00 2001 From: David Buchmann Date: Tue, 16 Jan 2024 11:45:58 +0100 Subject: [PATCH] Add help for hidden SSL termination --- deployment/proxies.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/deployment/proxies.rst b/deployment/proxies.rst index e846f95a808..c3692aa12f4 100644 --- a/deployment/proxies.rst +++ b/deployment/proxies.rst @@ -164,8 +164,31 @@ handling the request:: // ... $response = $kernel->handle($request); +Overriding configuration behind hidden SSL termination +------------------------------------------------------ + +Some cloud setups (like running a Docker container with the "Web App for Containers" +in `Microsoft Azure`_) do SSL termination and contact your web server over http, but +do not change the remote address nor set the ``X-Forwarded-*`` headers. This means +the trusted proxy funcationality of Symfony can't help you. + +Once you made sure your server is only reachable through the cloud proxy over HTTPS +and not through HTTP, you can override the information your web server sends to PHP. +For Nginx, this could look like this: + +.. code-block:: nginx + + location ~ ^/index\.php$ { + fastcgi_pass 127.0.0.1:9000; + include fastcgi.conf; + # Lie to symfony about the protocol and port so that it generates the correct https URLs + fastcgi_param SERVER_PORT "443"; + fastcgi_param HTTPS "on"; + } + .. _`security groups`: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html .. _`CloudFront`: https://en.wikipedia.org/wiki/Amazon_CloudFront .. _`CloudFront IP ranges`: https://ip-ranges.amazonaws.com/ip-ranges.json .. _`HTTP Host header attacks`: https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html .. _`nginx realip module`: https://nginx.org/en/docs/http/ngx_http_realip_module.html +.. _`Microsoft Azure`: https://en.wikipedia.org/wiki/Microsoft_Azure