trusted proxies and real ip

dunglas / symfony-docker

A Docker-based installer and runtime for Symfony. Install: download and `docker compose up`.

https://dunglas.dev/2021/12/symfonys-new-native-docker-support-symfony-world/

2.52k stars 744 forks source link

trusted proxies and real ip #564

Open norkunas opened 6 months ago

norkunas commented 6 months ago

currently in compose.yaml there is:

TRUSTED_PROXIES: ${TRUSTED_PROXIES:-127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}
TRUSTED_HOSTS: ^${SERVER_NAME:-example\.com|localhost}|php$$

ok so spin up for the localhost, my container has this:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' www-php-1
172.21.0.1

but for some reason in Symfony $request->getClientIps() returns the container ip. what more configuration is needed?

dunglas commented 6 months ago

We may need to adapt the config to use the new trusted_proxies directive introduced by Caddy: https://caddyserver.com/docs/caddyfile/options#trusted-proxies

094ikis09 commented 6 months ago

It may help you to add the following lines to the file along the config/packages/framework.yaml path:

framework:
    #...any conf
    trusted_headers: [ 'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port', 'x-forwarded-prefix' ]
    trusted_proxies: '127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
    #...any conf

norkunas commented 6 months ago

@094ikis09 thanks, tried this on the dev env, but it still returns the docker ip, so I guess I'll have to try caddy trusted_proxies directive. for the prod env, it works when I list cloudflare ips in trusted proxies, so I get real ip without configuring caddy