Closed balthild closed 5 months ago
Thanks for your patience! Last month, my wife and I had our first child so life was a bit crazy 🤪
I think I am following a bit of what you're saying here. I'm not too familiar with the Laravel trusted proxy and may need to loop @danpastori on this to review as well.
@balthild: Do you have a proposed solution on how to resolve this?
Closing for inactivity. Please comment again if this issue still persists.
Our team stuck on the same place. Laravel receives real ip of the user and doesn't consider the request comming from trusted proxy, which breaks the scheme and protocol in our case causing serving of a mixed content.
However proposing a solution on this topic is tricky because it really depends on the case and desired outcome. We might patch the issue with wildcard for trustedProxies but that's not the ideal solution.
Thanks for chiming in. I understand proposed solutions can be tricky, but if there is a default that is causing headache let me know. I am all ears if the community has a good approach to resolving this 👍
Affected Docker Images
serversideup/php:beta-8.3-fpm-nginx
However, I think the issue may affects all images because the nginx configuration entry causing this has not changed for years.
Docker Labels of the affected images
Current Behavior
Since this is a docker image, and the docker network is not configured to
host
mode most of the time, the nginx in docker will see every requests from the docker network (for example, from172.22.0.1
) and consider it as trusted. After that, PHP's$_SERVER['REMOTE_ADDR']
will be set to theCF-Connecting-IP
header. This breaks Laravel's trusted proxies feature (it is actually from Symfony, see symfony/symfony#26006). Some possible results are:[user] --https-- [caddy] --http-- [nginx in docker]
). All generated URLs will be withhttp://
rather thanhttps://
.CF-Connecting-IP
header to spoof PHP.Expected Behavior
If nginx needs to trust the docker network,
CF-Connecting-IP
should not be used.Steps To Reproduce
Create a Laravel project and run it with
serversideup/php:beta-8.3-fpm-nginx
Create a route to the function:
curl http://localhost:9000/test
curl --header "CF-Connecting-IP: 1.2.3.4" http://localhost:9000/test
Host Operating System
Debian 12
Docker Version
Anything else?
No response