How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy

Warning: You are browsing the documentation for Symfony 2.x, which is no longer maintained.

Read the updated version of this page for Symfony 7.2 (the current stable version).

When you deploy your application, you may be behind a load balancer (e.g. an AWS Elastic Load Balancing) or a reverse proxy (e.g. Varnish for caching).

For the most part, this doesn't cause any problems with Symfony. But, when a request passes through a proxy, certain request information is sent using either the standard Forwarded header or non-standard special X-Forwarded-* headers. For example, instead of reading the REMOTE_ADDR header (which will now be the IP address of your reverse proxy), the user's true IP will be stored in a standard Forwarded: for="..." header or a non standard X-Forwarded-For header.

2.7

Forwarded header support was introduced in Symfony 2.7.

If you don't configure Symfony to look for these headers, you'll get incorrect information about the client's IP address, whether or not the client is connecting via HTTPS, the client's port and the hostname being requested.

Solution: trusted_proxies

This is no problem, but you do need to tell Symfony what is happening and which reverse proxy IP addresses will be doing this type of thing:

        1
2
3
4
        # app/config/config.yml
# ...
framework:
    trusted_proxies:  [192.0.0.1, 10.0.0.0/8]
    

        1
2
3
4
5
6
7
8
9
10
11
12
13
        <!-- app/config/config.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:framework="http://symfony.com/schema/dic/symfony"
    xsi:schemaLocation="http://symfony.com/schema/dic/services
        http://symfony.com/schema/dic/services/services-1.0.xsd
        http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

    <framework:config trusted-proxies="192.0.0.1, 10.0.0.0/8">
        <!-- ... -->
    </framework:config>
</container>
    

        1
2
3
4
        // app/config/config.php
$container->loadFromExtension('framework', array(
    'trusted_proxies' => array('192.0.0.1', '10.0.0.0/8'),
));
    

In this example, you're saying that your reverse proxy (or proxies) has the IP address 192.0.0.1 or matches the range of IP addresses that use the CIDR notation 10.0.0.0/8. For more details, see the framework.trusted_proxies option.

You are also saying that you trust that the proxy does not send conflicting headers, e.g. sending both X-Forwarded-For and Forwarded in the same request.

That's it! Symfony will now look for the correct headers to get information like the client's IP address, host, port and whether the request is using HTTPS.

But what if the IP of my Reverse Proxy Changes Constantly!

Some reverse proxies (like AWS Elastic Load Balancing) don't have a static IP address or even a range that you can target with the CIDR notation. In this case, you'll need to - very carefully - trust all proxies.

Configure your web server(s) to not respond to traffic from any clients other than your load balancers. For AWS, this can be done with security groups.
Once you've guaranteed that traffic will only come from your trusted reverse proxies, configure Symfony to always trust incoming request. This is done inside of your front controller:
```
1
2
3
4
5
6
7
```
```
// web/app.php

// ...
$request = Request::createFromGlobals();
+ Request::setTrustedProxies(array('127.0.0.1', $request->server->get('REMOTE_ADDR')));

// ...
```
Ensure that the trusted_proxies setting in your app/config/config.yml is not set or it will overwrite the setTrustedProxies() call above.

That's it! It's critical that you prevent traffic from all non-trusted sources. If you allow outside traffic, they could "spoof" their true IP address and other information.

My Reverse Proxy Sends X-Forwarded-For but Does not Filter the Forwarded Header

Many popular proxy implementations do not yet support the Forwarded header and do not filter it by default. Ideally, you would configure this in your proxy. If this is not possible, you can tell Symfony to distrust the Forwarded header, while still trusting your proxy's X-Forwarded-For header.

This is done inside of your front controller:

        1
2
3
4
5
6
7
        // web/app.php

// ...
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);

$response = $kernel->handle($request);
// ...
    

Configuring the proxy server trust is very important, as not doing so will allow malicious users to "spoof" their IP address.

My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers

Although RFC 7239 recently defined a standard Forwarded header to disclose all proxy information, most reverse proxies store information in non-standard X-Forwarded-* headers.

But if your reverse proxy uses other non-standard header names, you can configure these (see "Trusting Proxies").

The code for doing this will need to live in your front controller (e.g. web/app.php).

My Reverse Proxy Does not Provide All the Standard Headers

AWS Elastic Load Balancing for example does not provide the X-Forwarded-Host and X-Forwarded HTTP headers, so you must make the following changes in the front controller:

        1
2
3
4
5
6
7
8
9
10
11
12
        // web/app.php

// ...
$request = Request::createFromGlobals();
// be very careful with the next line; see "But what if the IP of my Reverse Proxy Changes Constantly!"
+ Request::setTrustedProxies(array('127.0.0.1', $request->server->get('REMOTE_ADDR')));
// the next line is needed because AWS ELB doesn't send X-Forwarded-Host
+ Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, null);
// the next line is needed because AWS ELB doesn't use RFC 7239
+ Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);

// ...
    

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.

TOC

Version