[Http][DI] Replace REMOTE_ADDR in trusted proxies with the current REMOTE_ADDR #33574
Conversation
6b033ef to
704d028
Compare
|
I don't think you need this: use |
|
@nicolas-grekas this is not equivalent. Proxies can be chained. Trusting |
|
@mcfedr can you check whether your ELB proxies appears as an remote address belonging to the private IP range ? If yes, maybe you could trust the private IP ranges for your use case (though I don't know how isolated your AWS instances are when not using an AWS VPC). |
you may be right, but I'm missing the why: This only reads the direct REMOTE_ADDR. When does the difference you describe apply? |
|
@nicolas-grekas |
|
|
|
@nicolas-grekas it also uses |
|
The chain is the problem with using |
Oh, OK! Now I get the issue, it's related to |
704d028 to
fe5372a
Compare
|
All done. |
fe5372a to
643c9ff
Compare
|
Thank you @mcfedr. |
… the current REMOTE_ADDR (mcfedr) This PR was merged into the 4.4 branch. Discussion ---------- [Http][DI] Replace REMOTE_ADDR in trusted proxies with the current REMOTE_ADDR | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | License | MIT | Doc PR | Currently handling trusted ips when deploying behind some CDNs/Load balancers such as ELB is difficult because they dont have a constant IP address, its possible to overcome this as is suggested by the docs - https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly - by settings trusted proxies to `$request->server->get('REMOTE_ADDR')` - but this has to be done in code, and so becomes dangerous if you code is deployed in different environments. This change would allow the developer to stick to providing the envvar `TRUSTED_PROXIES`, and in the environment behind a ELB set the value to the literal string `REMOTE_ADDR`, and have it replaced at run time. This way in environments that are not using ELB his app is kept safe. I think doing this replacement in `Request:: setTrustedProxies` is the best place because it means this feature isn't exposed to other parts of the code that might call `Request::getTrustedProxies`. Commits ------- 643c9ff Replace REMOTE_ADDR in trusted proxies with the current REMOTE_ADDR
…or private IP address ranges to `Request::setTrustedProxies()` (nicolas-grekas) This PR was merged into the 7.2 branch. Discussion ---------- [HttpFoundation] Add `PRIVATE_SUBNETS` as a shortcut for private IP address ranges to `Request::setTrustedProxies()` | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | - | License | MIT Let's save some memory allocations and callbacks when we can. Tweaks #33574 and #52924 Commits ------- 6bd4b4a [HttpFoundation] Add `PRIVATE_SUBNETS` as a shortcut for private IP address ranges to `Request::setTrustedProxies()`
Currently handling trusted ips when deploying behind some CDNs/Load balancers such as ELB is difficult because they dont have a constant IP address, its possible to overcome this as is suggested by the docs - https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly - by settings trusted proxies to
$request->server->get('REMOTE_ADDR')- but this has to be done in code, and so becomes dangerous if you code is deployed in different environments.This change would allow the developer to stick to providing the envvar
TRUSTED_PROXIES, and in the environment behind a ELB set the value to the literal stringREMOTE_ADDR, and have it replaced at run time. This way in environments that are not using ELB his app is kept safe.I think doing this replacement in
Request:: setTrustedProxiesis the best place because it means this feature isn't exposed to other parts of the code that might callRequest::getTrustedProxies.