Trusting Proxies

If you find yourself behind some sort of proxy - like a load balancer - then certain header information may be sent to you using special X-Forwarded-* headers or the Forwarded header. For example, the Host HTTP header is usually used to return the requested host. But when you're behind a proxy, the actual host may be stored in an X-Forwarded-Host header.

Since HTTP headers can be spoofed, Symfony does not trust these proxy headers by default. If you are behind a proxy, you should manually whitelist your proxy as follows:

1
2
3
4
5

use Symfony\Component\HttpFoundation\Request;

// put this code as early as possible in your application (e.g. in your
// front controller) to only trust proxy headers coming from these IP addresses
Request::setTrustedProxies(array('192.0.0.1', '10.0.0.0/8'));

You should also make sure that your proxy filters unauthorized use of these headers, e.g. if a proxy natively uses the X-Forwarded-For header, it should not allow clients to send Forwarded headers to Symfony.

If your proxy does not filter headers appropriately, you need to configure Symfony not to trust the headers your proxy does not filter (see below).

1
2
3
4
5

Request::setTrustedHeaderName(Request::HEADER_FORWARDED, 'X-Forwarded');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_IP, 'X-Proxy-For');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_HOST, 'X-Proxy-Host');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PORT, 'X-Proxy-Port');
Request::setTrustedHeaderName(Request::HEADER_CLIENT_PROTO, 'X-Proxy-Proto');

1
2

// disables trusting the ``Forwarded`` header
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);