Skip to content
  • About
    • What is Symfony?
    • Community
    • News
    • Contributing
    • Support
  • Documentation
    • Symfony Docs
    • Symfony Book
    • Screencasts
    • Symfony Bundles
    • Symfony Cloud
    • Training
  • Services
    • SensioLabs Professional services to help you with Symfony
    • Platform.sh for Symfony Best platform to deploy Symfony apps
    • SymfonyInsight Automatic quality checks for your apps
    • Symfony Certification Prove your knowledge and boost your career
    • Blackfire Profile and monitor performance of your apps
  • Other
  • Blog
  • Download
sponsored by SensioLabs
  1. Home
  2. Documentation
  3. Cookbook
  4. Request
  5. How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud

Table of Contents

  • Solution: trusted_proxies
  • But what if the IP of my Reverse Proxy Changes Constantly!
  • My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers

How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy

Edit this page

Warning: You are browsing the documentation for Symfony 2.5, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy

When you deploy your application, you may be behind a load balancer (e.g. an AWS Elastic Load Balancer) or a reverse proxy (e.g. Varnish for caching).

For the most part, this doesn't cause any problems with Symfony. But, when a request passes through a proxy, certain request information is sent using special X-Forwarded-* headers. For example, instead of reading the REMOTE_ADDR header (which will now be the IP address of your reverse proxy), the user's true IP will be stored in an X-Forwarded-For header.

If you don't configure Symfony to look for these headers, you'll get incorrect information about the client's IP address, whether or not the client is connecting via HTTPS, the client's port and the hostname being requested.

Solution: trusted_proxies

This is no problem, but you do need to tell Symfony that this is happening and which reverse proxy IP addresses will be doing this type of thing:

  • YAML
  • XML
  • PHP
1
2
3
4
# app/config/config.yml
# ...
framework:
    trusted_proxies:  [192.0.0.1, 10.0.0.0/8]
1
2
3
4
5
6
7
8
9
10
11
12
<!-- app/config/config.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:framework="http://symfony.com/schema/dic/symfony"
    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd
                        http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

    <framework:config trusted-proxies="192.0.0.1, 10.0.0.0/8">
        <!-- ... -->
    </framework>
</container>
1
2
3
4
// app/config/config.php
$container->loadFromExtension('framework', array(
    'trusted_proxies' => array('192.0.0.1', '10.0.0.0/8'),
));

In this example, you're saying that your reverse proxy (or proxies) has the IP address 192.0.0.1 or matches the range of IP addresses that use the CIDR notation 10.0.0.0/8. For more details, see the framework.trusted_proxies option.

That's it! Symfony will now look for the correct X-Forwarded-* headers to get information like the client's IP address, host, port and whether or not the request is using HTTPS.

But what if the IP of my Reverse Proxy Changes Constantly!

Some reverse proxies (like Amazon's Elastic Load Balancers) don't have a static IP address or even a range that you can target with the CIDR notation. In this case, you'll need to - very carefully - trust all proxies.

  1. Configure your web server(s) to not respond to traffic from any clients other than your load balancers. For AWS, this can be done with security groups.
  2. Once you've guaranteed that traffic will only come from your trusted reverse proxies, configure Symfony to always trust incoming request. This is done inside of your front controller:

    1
    2
    3
    4
    5
    6
    7
    // web/app.php
    
    // ...
    Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));
    
    $response = $kernel->handle($request);
    // ...

That's it! It's critical that you prevent traffic from all non-trusted sources. If you allow outside traffic, they could "spoof" their true IP address and other information.

My Reverse Proxy Uses Non-Standard (not X-Forwarded) Headers

Most reverse proxies store information on specific X-Forwarded-* headers. But if your reverse proxy uses non-standard header names, you can configure these (see "Trusting Proxies"). The code for doing this will need to live in your front controller (e.g. web/app.php).

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
    Version
    We stand with Ukraine.
    Version:
    Symfony Code Performance Profiling

    Symfony Code Performance Profiling

    Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

    Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

    Symfony footer

    ↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

    Avatar of Ser5, a Symfony contributor

    Thanks Ser5 for being a Symfony contributor

    2 commits • 4 lines changed

    View all contributors that help us make Symfony

    Become a Symfony contributor

    Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

    Learn how to contribute

    Symfony™ is a trademark of Symfony SAS. All rights reserved.

    • What is Symfony?

      • Symfony at a Glance
      • Symfony Components
      • Case Studies
      • Symfony Releases
      • Security Policy
      • Logo & Screenshots
      • Trademark & Licenses
      • symfony1 Legacy
    • Learn Symfony

      • Symfony Docs
      • Symfony Book
      • Reference
      • Bundles
      • Best Practices
      • Training
      • eLearning Platform
      • Certification
    • Screencasts

      • Learn Symfony
      • Learn PHP
      • Learn JavaScript
      • Learn Drupal
      • Learn RESTful APIs
    • Community

      • SymfonyConnect
      • Support
      • How to be Involved
      • Code of Conduct
      • Events & Meetups
      • Projects using Symfony
      • Downloads Stats
      • Contributors
      • Backers
    • Blog

      • Events & Meetups
      • A week of symfony
      • Case studies
      • Cloud
      • Community
      • Conferences
      • Diversity
      • Documentation
      • Living on the edge
      • Releases
      • Security Advisories
      • SymfonyInsight
      • Twig
      • SensioLabs
    • Services

      • SensioLabs services
      • Train developers
      • Manage your project quality
      • Improve your project performance
      • Host Symfony projects

      Deployed on

    Follow Symfony

    Search by Algolia