Trusting ProxiesEdit this page
Warning: You are browsing the documentation for Symfony 2.4, which is no longer maintained.
Read the updated version of this page for Symfony 6.1 (the current stable version).
If you're using the Symfony Framework, start by reading How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy.
If you find yourself behind some sort of proxy - like a load balancer - then
certain header information may be sent to you using special
headers. For example, the
Host HTTP header is usually used to return
the requested host. But when you're behind a proxy, the true host may be
stored in a
Since HTTP headers can be spoofed, Symfony does not trust these proxy headers by default. If you are behind a proxy, you should manually whitelist your proxy.
CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole
1 2 3 4
use Symfony\Component\HttpFoundation\Request; // only trust proxy headers coming from this IP addresses Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8'));
By default, the following proxy headers are trusted:
X-Forwarded-ForUsed in getClientIp();
X-Forwarded-HostUsed in getHost();
X-Forwarded-PortUsed in getPort();
X-Forwarded-ProtoUsed in getScheme() and isSecure();
If your reverse proxy uses a different header name for any of these, you can configure that header name via setTrustedHeaderName():
1 2 3 4
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For'); Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host'); Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port'); Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');
By default, if you whitelist your proxy's IP address, then all four headers listed above are trusted. If you need to trust some of these headers but not others, you can do that as well:
// disables trusting the ``X-Forwarded-Proto`` header, the default header is used Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, '');