diff --git a/deployment/proxies.rst b/deployment/proxies.rst
index cae9e285648..15725b67007 100644
--- a/deployment/proxies.rst
+++ b/deployment/proxies.rst
@@ -22,28 +22,69 @@ Solution: ``setTrustedProxies()``
---------------------------------
To fix this, you need to tell Symfony which reverse proxy IP addresses to trust
-and what headers your reverse proxy uses to send information::
-
- // public/index.php
-
- // ...
- $request = Request::createFromGlobals();
-
- // tell Symfony about your reverse proxy
- Request::setTrustedProxies(
- // the IP address (or range) of your proxy
- ['192.0.0.1', '10.0.0.0/8'],
-
- // trust *all* "X-Forwarded-*" headers
- Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
-
- // or, if your proxy instead uses the "Forwarded" header
- // Request::HEADER_FORWARDED
-
- // or, if you're using a well-known proxy
- // Request::HEADER_X_FORWARDED_AWS_ELB
- // Request::HEADER_X_FORWARDED_TRAEFIK
- );
+and what headers your reverse proxy uses to send information:
+
+.. configuration-block::
+
+ .. config-block:: yaml
+
+ # config/packages/framework.yaml
+ framework:
+ # ...
+ // the IP address (or range) of your proxy
+ trusted_proxies: '192.0.0.1,10.0.0.0/8'
+ // trust *all* "X-Forwarded-*" headers (the ! prefix means to not trust those headers)
+ trusted_headers: ['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix']
+ // or, if your proxy instead uses the "Forwarded" header
+ trusted_headers: ['forwarded', '!x-forwarded-host', '!x-forwarded-prefix']
+ // or, if you're using a wellknown proxy
+ trusted_headers: [!php/const Symfony\\Component\\HttpFoundation\\Request::HEADER_X_FORWARDED_AWS_ELB, '!x-forwarded-host', '!x-forwarded-prefix']
+ trusted_headers: [!php/const Symfony\\Component\\HttpFoundation\\Request::HEADER_X_FORWARDED_TRAEFIK, '!x-forwarded-host', '!x-forwarded-prefix']
+
+ .. config-block:: xml
+
+
+
+
+
+
+
+ 192.0.0.1,10.0.0.0/8
+
+
+ x-forwarded-all
+ !x-forwarded-host
+ !x-forwarded-prefix
+
+
+ forwarded
+ !x-forwarded-host
+ !x-forwarded-prefix
+
+
+
+ .. config-block:: php
+
+ // config/packages/framework.php
+ use Symfony\Component\HttpFoundation\Request;
+
+ $container->loadFromExtension('framework', [
+ // the IP address (or range) of your proxy
+ 'trusted_proxies' => '192.0.0.1,10.0.0.0/8',
+ // trust *all* "X-Forwarded-*" headers (the ! prefix means to not trust those headers)
+ 'trusted_headers' => ['x-forwarded-all', '!x-forwarded-host', '!x-forwarded-prefix'],
+ // or, if your proxy instead uses the "Forwarded" header
+ 'trusted_headers' => ['forwarded', '!x-forwarded-host', '!x-forwarded-prefix'],
+ // or, if you're using a wellknown proxy
+ 'trusted_headers' => [Request::HEADER_X_FORWARDED_AWS_ELB, '!x-forwarded-host', '!x-forwarded-prefix'],
+ 'trusted_headers' => [Request::HEADER_X_FORWARDED_TRAEFIK, '!x-forwarded-host', '!x-forwarded-prefix'],
+ ]);
.. deprecated:: 5.2
@@ -61,6 +102,13 @@ The Request object has several ``Request::HEADER_*`` constants that control exac
*which* headers from your reverse proxy are trusted. The argument is a bit field,
so you can also pass your own value (e.g. ``0b00110``).
+.. versionadded:: 5.2
+
+ The feature to configure trusted proxies and headers with ``trusted_proxies``
+ and ``trusted_headers`` options was introduced in Symfony 5.2. In earlier
+ Symfony versions you needed to use the ``Request::setTrustedProxies()``
+ method in the ``public/index.php`` file.
+
But what if the IP of my Reverse Proxy Changes Constantly!
----------------------------------------------------------
@@ -74,17 +122,17 @@ In this case, you'll need to - *very carefully* - trust *all* proxies.
#. Once you've guaranteed that traffic will only come from your trusted reverse
proxies, configure Symfony to *always* trust incoming request::
- // public/index.php
+ .. config-block:: yaml
- // ...
- Request::setTrustedProxies(
- // trust *all* requests (the 'REMOTE_ADDR' string is replaced at
- // run time by $_SERVER['REMOTE_ADDR'])
- ['127.0.0.1', 'REMOTE_ADDR'],
+ # config/packages/framework.yaml
+ framework:
+ # ...
+ // trust *all* requests (the 'REMOTE_ADDR' string is replaced at
+ // run time by $_SERVER['REMOTE_ADDR'])
+ trusted_proxies: '127.0.0.1,REMOTE_ADDR'
- // if you're using ELB, otherwise use a constant from above
- Request::HEADER_X_FORWARDED_AWS_ELB
- );
+ // if you're using ELB, otherwise use another Request::HEADER-* constant
+ trusted_headers: [!php/const Symfony\\Component\\HttpFoundation\\Request::HEADER_X_FORWARDED_AWS_ELB, '!x-forwarded-host', '!x-forwarded-prefix']
That's it! It's critical that you prevent traffic from all non-trusted sources.
If you allow outside traffic, they could "spoof" their true IP address and
@@ -100,6 +148,12 @@ other information.
# .env
TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
+ .. config-block:: yaml
+
+ # config/packages/framework.yaml
+ framework:
+ # ...
+ trusted_proxies: '%env(TRUSTED_PROXIES)%'
If you are also using a reverse proxy on top of your load balancer (e.g.
`CloudFront`_), calling ``$request->server->get('REMOTE_ADDR')`` won't be
@@ -111,11 +165,13 @@ trusted proxies.
Custom Headers When Using a Reverse Proxy
-----------------------------------------
-Some reverse proxies (like `CloudFront`_ with ``CloudFront-Forwarded-Proto``) may force you to use a custom header.
-For instance you have ``Custom-Forwarded-Proto`` instead of ``X-Forwarded-Proto``.
+Some reverse proxies (like `CloudFront`_ with ``CloudFront-Forwarded-Proto``)
+may force you to use a custom header. For instance you have
+``Custom-Forwarded-Proto`` instead of ``X-Forwarded-Proto``.
-In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value of
-``Custom-Forwarded-Proto`` early enough in your application, i.e. before handling the request::
+In this case, you'll need to set the header ``X-Forwarded-Proto`` with the value
+of ``Custom-Forwarded-Proto`` early enough in your application, i.e. before
+handling the request::
// public/index.php
diff --git a/reference/configuration/framework.rst b/reference/configuration/framework.rst
index df964b6d0ba..3a26887300e 100644
--- a/reference/configuration/framework.rst
+++ b/reference/configuration/framework.rst
@@ -284,6 +284,7 @@ Configuration
* `logging`_
* :ref:`paths `
+* `trusted_headers`_
* `trusted_hosts`_
* `trusted_proxies`_
* `validation`_
@@ -380,12 +381,32 @@ named ``kernel.http_method_override``.
$request = Request::createFromGlobals();
// ...
+.. _reference-framework-trusted-headers:
+
+trusted_headers
+~~~~~~~~~~~~~~~
+
+.. versionadded:: 5.2
+
+ The ``trusted_headers`` option was introduced in Symfony 5.2.
+
+The ``trusted_headers`` option is needed to configure which client information
+should be trusted (e.g. their host) when running Symfony behind a load balancer
+or a reverse proxy. See :doc:`/deployment/proxies`.
+
.. _reference-framework-trusted-proxies:
trusted_proxies
~~~~~~~~~~~~~~~
-The ``trusted_proxies`` option was removed in Symfony 3.3. See :doc:`/deployment/proxies`.
+.. versionadded:: 5.2
+
+ The ``trusted_headers`` option was reintroduced in Symfony 5.2 (it had been
+ removed in Symfony 3.3).
+
+The ``trusted_proxies`` option is needed to get precise information about the
+client (e.g. their IP address) when running Symfony behind a load balancer or a
+reverse proxy. See :doc:`/deployment/proxies`.
ide
~~~