Enable trusted proxies in Symfony >= 3.3

[mathieudz]

Fixes php-pm issue #257 & requires Symfony 3.3.
In my case, this is needed to detect whether HTTPS is used or not. Using nginx as reverse proxy.
The code is directly copy pasted from Symfony 4.x index.php.

[andig]

Is this sage to do, i.e. is it sure that a client can not set this option via the request? Viele Grüße, Andreas

…

Am 22.06.2018 um 17:37 schrieb Mathieu De Zutter ***@***.***>: Fixes php-pm issue #257 & requires Symfony 3.3. In my case, this is needed to detect whether HTTPS is used or not. Using nginx as reverse proxy. The code is directly copy pasted from Symfony 4.x index.php. You can view, comment on, or merge this pull request online at: #114 Commit Summary Enable trusted proxies in Symfony. File Changes M Bootstraps/Symfony.php (8) Patch Links: https://github.com/php-pm/php-pm-httpkernel/pull/114.patch https://github.com/php-pm/php-pm-httpkernel/pull/114.diff — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[mathieudz]

It should be read from the .env file. Maybe there are other ways, but I suppose that a client cannot set $_SERVER?
If you mean that a client could set the X-Forwarded headers: the app should only be accessible through the RP.

[andig]

If you mean that a client could set the X-Forwarded headers: the app should only be accessible through the RP.

Thats what I'm concerned about. I find it kind of dangerous to trust the X_ headers?

[mathieudz]

That's why you specify with Request::setTrustedProxies() which hosts are allowed to send these headers. By default none are trusted.
For Symfony < 3.3 it was already possible with php-pm: see bottom of the php-pm's README.