From 9e2ce9af0222f78ab6bf96691c9595304c4d9cf2 Mon Sep 17 00:00:00 2001 From: Jarek Jakubowski Date: Wed, 3 May 2017 16:12:49 +0200 Subject: [PATCH 1/4] Remove deprecated trusted_proxies config option --- reference/configuration/framework.rst | 39 --------------------------- 1 file changed, 39 deletions(-) diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst index 2be0eb506eb..5e8ef06581b 100644 --- a/reference/configuration/framework.rst +++ b/reference/configuration/framework.rst @@ -22,7 +22,6 @@ Configuration * `secret`_ * `http_method_override`_ -* `trusted_proxies`_ * `ide`_ * `test`_ * `default_locale`_ @@ -184,44 +183,6 @@ named ``kernel.http_method_override``. $request = Request::createFromGlobals(); // ... -.. _reference-framework-trusted-proxies: - -trusted_proxies -~~~~~~~~~~~~~~~ - -**type**: ``array`` - -Configures the IP addresses that should be trusted as proxies. For more -details, see :doc:`/request/load_balancer_reverse_proxy`. - -.. configuration-block:: - - .. code-block:: yaml - - # app/config/config.yml - framework: - trusted_proxies: [192.0.0.1, 10.0.0.0/8] - - .. code-block:: xml - - - - - - - - - .. code-block:: php - - // app/config/config.php - $container->loadFromExtension('framework', array( - 'trusted_proxies' => array('192.0.0.1', '10.0.0.0/8'), - )); - ide ~~~ From 44c11c5c4bad274cdd941fe89028d5341438f117 Mon Sep 17 00:00:00 2001 From: Jarek Jakubowski Date: Wed, 3 May 2017 16:23:12 +0200 Subject: [PATCH 2/4] Remove deprecated trusted_proxies config option --- request/load_balancer_reverse_proxy.rst | 34 +++++-------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/request/load_balancer_reverse_proxy.rst b/request/load_balancer_reverse_proxy.rst index 03f64ea8e0f..4424848c6d2 100644 --- a/request/load_balancer_reverse_proxy.rst +++ b/request/load_balancer_reverse_proxy.rst @@ -25,39 +25,19 @@ and which reverse proxy IP addresses will be doing this type of thing: .. configuration-block:: - .. code-block:: yaml - - # app/config/config.yml - # ... - framework: - trusted_proxies: [192.0.0.1, 10.0.0.0/8] - - .. code-block:: xml - - - - + .. code-block:: diff - - - - + // web/app.php - .. code-block:: php + // ... + $request = Request::createFromGlobals(); + + Request::setTrustedProxies(['127.0.0.1', '10.0.0.0/8']); - // app/config/config.php - $container->loadFromExtension('framework', array( - 'trusted_proxies' => array('192.0.0.1', '10.0.0.0/8'), - )); + // ... In this example, you're saying that your reverse proxy (or proxies) has the IP address ``192.0.0.1`` or matches the range of IP addresses that use -the CIDR notation ``10.0.0.0/8``. For more details, see the -:ref:`framework.trusted_proxies ` option. +the CIDR notation ``10.0.0.0/8``. You are also saying that you trust that the proxy does not send conflicting headers, e.g. sending both ``X-Forwarded-For`` and ``Forwarded`` in the same From a84e2a52872835b8b2932e6b3cb475ce6cd90a84 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Fri, 12 May 2017 17:23:16 +0200 Subject: [PATCH 3/4] replace diff code block with PHP code block --- request/load_balancer_reverse_proxy.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/request/load_balancer_reverse_proxy.rst b/request/load_balancer_reverse_proxy.rst index 4424848c6d2..1e44810a241 100644 --- a/request/load_balancer_reverse_proxy.rst +++ b/request/load_balancer_reverse_proxy.rst @@ -23,17 +23,18 @@ Solution: trusted_proxies This is no problem, but you *do* need to tell Symfony what is happening and which reverse proxy IP addresses will be doing this type of thing: -.. configuration-block:: +.. code-block:: php - .. code-block:: diff + // web/app.php - // web/app.php + // ... + $request = Request::createFromGlobals(); - // ... - $request = Request::createFromGlobals(); - + Request::setTrustedProxies(['127.0.0.1', '10.0.0.0/8']); + // use the setTrustedProxies() method to tell Symfony + // about your reverse proxy IP addresses + Request::setTrustedProxies(['127.0.0.1', '10.0.0.0/8']); - // ... + // ... In this example, you're saying that your reverse proxy (or proxies) has the IP address ``192.0.0.1`` or matches the range of IP addresses that use From 0ca42f7b398d1dd61e1eac720efd4115e0166073 Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Fri, 12 May 2017 17:31:21 +0200 Subject: [PATCH 4/4] replace trusted_proxies reference --- http_cache/varnish.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/http_cache/varnish.rst b/http_cache/varnish.rst index 64df73241cb..2e5dc6c41f1 100644 --- a/http_cache/varnish.rst +++ b/http_cache/varnish.rst @@ -20,9 +20,9 @@ Varnish automatically forwards the IP as ``X-Forwarded-For`` and leaves the trusted proxy, Symfony will see all requests as coming through insecure HTTP connections from the Varnish host instead of the real client. -Remember to configure :ref:`framework.trusted_proxies ` -in the Symfony configuration so that Varnish is seen as a trusted proxy and the -:ref:`X-Forwarded ` headers are used. +Remember to call the :method:`Symfony\\Component\\HttpFoundation\\Request::setTrustedProxies` +method in your front controller so that Varnish is seen as a trusted proxy +and the :ref:`X-Forwarded ` headers are used. Varnish, in its default configuration, sends the ``X-Forwarded-For`` header but does not filter out the ``Forwarded`` header. If you have access to the Varnish