Symfony
sponsored by SensioLabs
Menu
  • About
  • Documentation
  • Screencasts
  • Cloud
  • Certification
  • Community
  • Businesses
  • News
  • Download
  1. Home
  2. Documentation
  3. Components
  4. Http Foundation
  5. Trusting Proxies
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud
Search by Algolia

Table of Contents

  • Configuring Header Names
  • Not Trusting certain Headers

Trusting Proxies

Edit this page

Warning: You are browsing the documentation for Symfony 2.7, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

Trusting Proxies

Tip

If you're using the Symfony Framework, start by reading How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy.

If you find yourself behind some sort of proxy - like a load balancer - then certain header information may be sent to you using special X-Forwarded-* headers or the Forwarded header. For example, the Host HTTP header is usually used to return the requested host. But when you're behind a proxy, the actual host may be stored in an X-Forwarded-Host header.

Since HTTP headers can be spoofed, Symfony does not trust these proxy headers by default. If you are behind a proxy, you should manually whitelist your proxy as follows:

1
2
3
4
5
use Symfony\Component\HttpFoundation\Request;

// put this code as early as possible in your application (e.g. in your
// front controller) to only trust proxy headers coming from these IP addresses
Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8'));

2.3

CIDR notation support was introduced in Symfony 2.3, so you can whitelist whole subnets (e.g. 10.0.0.0/8, fc00::/7).

You should also make sure that your proxy filters unauthorized use of these headers, e.g. if a proxy natively uses the X-Forwarded-For header, it should not allow clients to send Forwarded headers to Symfony.

If your proxy does not filter headers appropriately, you need to configure Symfony not to trust the headers your proxy does not filter (see below).

Configuring Header Names

By default, the following proxy headers are trusted:

  • Forwarded Used in getClientIp();
  • X-Forwarded-For Used in getClientIp();
  • X-Forwarded-Host Used in getHost();
  • X-Forwarded-Port Used in getPort();
  • X-Forwarded-Proto Used in getScheme() and isSecure();

If your reverse proxy uses a different header name for any of these, you can configure that header name via setTrustedHeaderName():

1
2
3
4
5
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'X-Forwarded');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');

Not Trusting certain Headers

By default, if you whitelist your proxy's IP address, then all five headers listed above are trusted. If you need to trust some of these headers but not others, you can do that as well:

1
2
// disables trusting the ``Forwarded`` header
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
We stand with Ukraine.
Version:
Be safe against critical risks to your projects and businesses

Be safe against critical risks to your projects and businesses

Code consumes server resources. Blackfire tells you how

Code consumes server resources. Blackfire tells you how

↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

Avatar of Adiel Cristo, a Symfony contributor

Thanks Adiel Cristo (@arcristo) for being a Symfony contributor

2 commits • 72 lines changed

View all contributors that help us make Symfony

Become a Symfony contributor

Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

Learn how to contribute

Symfony™ is a trademark of Symfony SAS. All rights reserved.

  • What is Symfony?
    • Symfony at a Glance
    • Symfony Components
    • Case Studies
    • Symfony Releases
    • Security Policy
    • Logo & Screenshots
    • Trademark & Licenses
    • symfony1 Legacy
  • Learn Symfony
    • Symfony Docs
    • Symfony Book
    • Reference
    • Bundles
    • Best Practices
    • Training
    • eLearning Platform
    • Certification
  • Screencasts
    • Learn Symfony
    • Learn PHP
    • Learn JavaScript
    • Learn Drupal
    • Learn RESTful APIs
  • Community
    • SymfonyConnect
    • Support
    • How to be Involved
    • Code of Conduct
    • Events & Meetups
    • Projects using Symfony
    • Downloads Stats
    • Contributors
    • Backers
  • Blog
    • Events & Meetups
    • A week of symfony
    • Case studies
    • Cloud
    • Community
    • Conferences
    • Diversity
    • Documentation
    • Living on the edge
    • Releases
    • Security Advisories
    • SymfonyInsight
    • Twig
    • SensioLabs
  • Services
    • SensioLabs services
    • Train developers
    • Manage your project quality
    • Improve your project performance
    • Host Symfony projects
    Deployed on
Follow Symfony
Search by Algolia