Skip to content
  • About
    • What is Symfony?
    • Community
    • News
    • Contributing
    • Support
  • Documentation
    • Symfony Docs
    • Symfony Book
    • Screencasts
    • Symfony Bundles
    • Symfony Cloud
    • Training
  • Services
    • SensioLabs Professional services to help you with Symfony
    • Platform.sh for Symfony Best platform to deploy Symfony apps
    • SymfonyInsight Automatic quality checks for your apps
    • Symfony Certification Prove your knowledge and boost your career
    • Blackfire Profile and monitor performance of your apps
  • Other
  • Blog
  • Download
sponsored by SensioLabs
  1. Home
  2. Documentation
  3. Components
  4. Http Foundation
  5. Trusting Proxies
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud

Table of Contents

  • Configuring Header Names
  • Not trusting certain Headers

Trusting Proxies

Edit this page

Warning: You are browsing the documentation for Symfony 2.0, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

Trusting Proxies

If you find yourself behind some sort of proxy - like a load balancer - then certain header information may be sent to you using special X-Forwarded-* headers. For example, the Host HTTP header is usually used to return the requested host. But when you're behind a proxy, the true host may be stored in a X-Forwarded-Host header.

Since HTTP headers can be spoofed, Symfony2 does not trust these proxy headers by default. If you are behind a proxy, you should manually whitelist your proxy:

1
2
3
4
5
use Symfony\Component\HttpFoundation\Request;

$request = Request::createFromGlobals();
// only trust proxy headers coming from this IP address
$request->setTrustedProxies(array('192.0.0.1'));

Configuring Header Names

By default, the following proxy headers are trusted:

  • X-Forwarded-For Used in getClientIp();
  • X-Forwarded-Host Used in getHost();
  • X-Forwarded-Port Used in getPort();
  • X-Forwarded-Proto Used in getScheme() and isSecure();

If your reverse proxy uses a different header name for any of these, you can configure that header name via setTrustedHeaderName():

1
2
3
4
$request->setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
$request->setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
$request->setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
$request->setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');

Not trusting certain Headers

By default, if you whitelist your proxy's IP address, then all four headers listed above are trusted. If you need to trust some of these headers but not others, you can do that as well:

1
2
// disables trusting the ``X-Forwarded-Proto`` header, the default header is used
$request->setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, '');
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version
    We stand with Ukraine.
    Version:
    Symfony Code Performance Profiling

    Symfony Code Performance Profiling

    Peruse our complete Symfony & PHP solutions catalog for your web development needs.

    Peruse our complete Symfony & PHP solutions catalog for your web development needs.

    Symfony footer

    ↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

    Avatar of Enrico, a Symfony contributor

    Thanks Enrico for being a Symfony contributor

    2 commits • 4 lines changed

    View all contributors that help us make Symfony

    Become a Symfony contributor

    Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

    Learn how to contribute

    Symfony™ is a trademark of Symfony SAS. All rights reserved.

    • What is Symfony?

      • Symfony at a Glance
      • Symfony Components
      • Case Studies
      • Symfony Releases
      • Security Policy
      • Logo & Screenshots
      • Trademark & Licenses
      • symfony1 Legacy
    • Learn Symfony

      • Symfony Docs
      • Symfony Book
      • Reference
      • Bundles
      • Best Practices
      • Training
      • eLearning Platform
      • Certification
    • Screencasts

      • Learn Symfony
      • Learn PHP
      • Learn JavaScript
      • Learn Drupal
      • Learn RESTful APIs
    • Community

      • SymfonyConnect
      • Support
      • How to be Involved
      • Code of Conduct
      • Events & Meetups
      • Projects using Symfony
      • Downloads Stats
      • Contributors
      • Backers
    • Blog

      • Events & Meetups
      • A week of symfony
      • Case studies
      • Cloud
      • Community
      • Conferences
      • Diversity
      • Documentation
      • Living on the edge
      • Releases
      • Security Advisories
      • SymfonyInsight
      • Twig
      • SensioLabs
    • Services

      • SensioLabs services
      • Train developers
      • Manage your project quality
      • Improve your project performance
      • Host Symfony projects

      Deployed on

    Follow Symfony

    Search by Algolia