From ed876afea26130915acd7395a0ae9bf8b3828549 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Wed, 18 Jan 2017 11:01:35 +0100 Subject: [PATCH 1/2] Added a minor help note about Request::setTrustedProxies --- components/http_foundation/trusting_proxies.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/http_foundation/trusting_proxies.rst b/components/http_foundation/trusting_proxies.rst index 461d6ddac57..d81dac2559d 100644 --- a/components/http_foundation/trusting_proxies.rst +++ b/components/http_foundation/trusting_proxies.rst @@ -17,7 +17,7 @@ the actual host may be stored in an ``X-Forwarded-Host`` header. Since HTTP headers can be spoofed, Symfony does *not* trust these proxy headers by default. If you are behind a proxy, you should manually whitelist -your proxy. +your proxy as follows: .. versionadded:: 2.3 CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole @@ -27,7 +27,8 @@ your proxy. use Symfony\Component\HttpFoundation\Request; - // only trust proxy headers coming from this IP addresses + // put this code as early as possible in your application (e.g. in your + // front controller) to only trust proxy headers coming from these IP addresses Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8')); You should also make sure that your proxy filters unauthorized use of these From 34b0f3c3f0aac10541475cdebf1ddfecec0e3782 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 22 Jan 2017 22:43:33 +0100 Subject: [PATCH 2/2] Moved the "versionadded" directive --- components/http_foundation/trusting_proxies.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/components/http_foundation/trusting_proxies.rst b/components/http_foundation/trusting_proxies.rst index d81dac2559d..9fc5ead0f36 100644 --- a/components/http_foundation/trusting_proxies.rst +++ b/components/http_foundation/trusting_proxies.rst @@ -19,10 +19,6 @@ Since HTTP headers can be spoofed, Symfony does *not* trust these proxy headers by default. If you are behind a proxy, you should manually whitelist your proxy as follows: -.. versionadded:: 2.3 - CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole - subnets (e.g. ``10.0.0.0/8``, ``fc00::/7``). - .. code-block:: php use Symfony\Component\HttpFoundation\Request; @@ -31,6 +27,10 @@ your proxy as follows: // front controller) to only trust proxy headers coming from these IP addresses Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8')); +.. versionadded:: 2.3 + CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole + subnets (e.g. ``10.0.0.0/8``, ``fc00::/7``). + You should also make sure that your proxy filters unauthorized use of these headers, e.g. if a proxy natively uses the ``X-Forwarded-For`` header, it should not allow clients to send ``Forwarded`` headers to Symfony.