New Private Subnets Shortcut for Trusted Proxies

Nicolas Grekas
Contributed by Nicolas Grekas in #58154

If your Symfony application works behind a load balancer or reverse proxy (AWS Elastic Load Balancing, Varnish, etc.), you need to tell Symfony which reverse proxy IP addresses to trust. If the IP of the reverse proxy changes constantly, you must configure a range of IPs to trust.

In Symfony 7.2, we're adding PRIVATE_SUBNETS as a shortcut for the value of the constant IpUtils::PRIVATE_SUBNETS, so your configuration is easier to read and maintain:

1
2
3
# config/packages/framework.yaml
framework:
    trusted_proxies: '127.0.0.1,PRIVATE_SUBNETS'

Configure Trusted Proxies with Environment Variables

Nicolas Grekas
Contributed by Nicolas Grekas in #58161

The trusted proxies configuration is currently done in configuration files (YAML, XML, or PHP format) like this:

1
2
3
4
5
6
7
# config/packages/framework.yaml
framework:
    # ...
    trusted_proxies: '192.0.0.1,10.0.0.0/8'
    trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port', 'x-forwarded-prefix']
    trusted_hosts: ['...']
    trust_x_sendfile_type_header: true

In Symfony 7.2 we're simplifying this thanks to new environment variables. Instead of configuring the previous file, you can now set the trusted proxies configuration in these env vars:

  • SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER
  • SYMFONY_TRUSTED_HEADERS
  • SYMFONY_TRUSTED_HOSTS
  • SYMFONY_TRUSTED_PROXIES
Published in #Living on the edge