3

I'm running a Symfony2 web application on AWS, and am using an Elastic Load Balancer.

In a controller method, I need to do the following to get the IP of a user requesting a web page:

$request->trustProxyData();
$clientIp = $request->getClientIp(True);

Does this present any security risks? I'm not using the client IP for privilege escalation, I'm just logging it.

Is there some way to force trustProxyData() always, or otherwise reconfigure $request->getClientIp() to DWIM? My app will always be behind a load balancer (except while I do development on my desktop).

Related: http://fabien.potencier.org/article/51/create-your-own-framework-on-top-of-the-symfony2-components-part-2 (but it doesn't say if there's some global config so I don't have to call trustProxyData() everywhere).

Adam Monsen
  • 9,054
  • 6
  • 53
  • 82

5 Answers5

4

You can configure the framework bundle to do this: http://symfony.com/doc/2.0/reference/configuration/framework.html#trust-proxy-headers

framework:
    trust_proxy_headers: true
Adrian Toman
  • 11,316
  • 5
  • 48
  • 62
AdrienBrault
  • 7,747
  • 4
  • 31
  • 42
  • Is this secure? Seems like a blanket trust is risky. Is there a way to overwrite the default "X_FORWARDED_PROTO"with the one Amazon AWS load balancers use "HTTP_X_FORWARDED_PROTO". – Acyra Sep 03 '13 at 15:20
  • Acyra: configure which proxies to trust http://symfony.com/doc/2.0/reference/configuration/framework.html#trusted-proxies – AdrienBrault Sep 03 '13 at 17:37
  • This has changed (Symfony 2.3) as it needs to be: ```trusted_proxies: [192.0.0.1, 10.0.0.0/8]``` - updating to use the IP CIDR range of the proxy. (see current [doc](http://symfony.com/doc/current/reference/configuration/framework.html#trusted-proxies)) – Matt R. Oct 18 '13 at 00:32
1

I am not sure about any general security risks, but I can give you a tip how to avoid calling this method in each controller action.

In your app.php just before the $kernel->handle(...); you should set:

Request::trustProxyData();

Cheers ;)

Vitalii Zurian
  • 17,858
  • 4
  • 64
  • 81
  • This works best for Symfony 2.2 application when using with ELB, which has dynamic IPs and Symfony 2.2 doesn't support CIDR. – Anton Babenko Oct 07 '14 at 10:02
1

Note:

The trust_proxy_headers option is deprecated and will be removed in Symfony 2.3.

See a trusted_proxies and a Trusting Proxies for details on how to properly trust proxy data.

Chrysweel
  • 363
  • 4
  • 8
1

I used

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

in web/app.php to solve the problem.

See my answer here: https://stackoverflow.com/a/28793609/2030937

Community
  • 1
  • 1
totas
  • 10,288
  • 6
  • 35
  • 32
  • Still works as of Symfony 3.4. My server is behind CloudFlare CDN with forced https redirect. Having a route with `schemes: [https]` made me get 'TooManyRedirects'. However, adding this line in `web/app.php` did fix it. – Jamesst20 Nov 12 '19 at 00:30
1

In modern symfony versions: https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly

If your elb is behind a cloudfront proxy you should take a look at this package too: https://packagist.org/packages/fmaj/cloudfront-trusted-proxies

FAjir
  • 4,384
  • 2
  • 26
  • 30