bref icon indicating copy to clipboard operation
bref copied to clipboard
verified publisher icon brefphp

[Doc] Trust all remote proxies

Open Nyholm opened this issue 1 year ago • 1 comments

Using Lift and a custom domain, you need to trust all proxies in order to make it work properly.

This is because Symfony will never see Cloudfront URL because we are using the end client IP here: https://github.com/brefphp/bref/blob/master/src/Event/Http/Psr7Bridge.php#L44

If we set this the 127.0.0.1 instead, it would work for Symfony with trusted_proxies: 127.0.0.1. But that will obviously not work for other users expecing this to be the end client IP.

We could specify $_SERVER['REMOTE_ADDR'] to be either the proxy or 127.0.0.1. If so, you would configure trusted_proxies: 127.0.0.1, REMOTE_ADDR. See Symfony Request

The $_SERVER['REMOTE_ADDR'] is currently undefined.

I am not 100% this suggestion is safe, so we should probably use $_SERVER['REMOTE_ADDR'], but that also feels wrong. I would be happy to get some input.

Nyholm avatar Sep 28 '24 10:09 Nyholm

@Nyholm This was created a year ago, sorry for being late to the party... 😄 But we actually faced that situation, and agree it feels wrong but we had to come up with a solution that make Symfony happy, and our application is using ApiGateway + Lambda so we thought it was safe to trust every proxy so we extended the Bref\SymfonyBridge\BrefKernel and set $_SERVER['REMOTE_ADDR'] there ourselves.

Again not necessarily proud, but it definitely unblocked us... 😛

abstract class AbstractServerlessHttpKernel extends BrefKernel
{
    public function __construct(string $environment, bool $debug)
    {
        parent::__construct($environment, $debug);

        if (LambdaContextHelper::inLambda()) {
            Bref::events()->subscribe(new InvocationLifecycleSubscriber());
        }
    }

    public function handle(
        Request $request,
        int $type = HttpKernelInterface::MAIN_REQUEST,
        bool $catch = true,
    ): Response {
        // Symfony requires $_SERVER['REMOTE_ADDR'] to be set in order to set trusted proxies properly
        // Because we are within the Lambda context behind ApiGateway, we can safely trust the one from the request
        if (LambdaContextHelper::inRemoteLambda()) {
            $_SERVER['REMOTE_ADDR'] = $request->server->get('REMOTE_ADDR', '127.0.0.1');

            Request::setTrustedProxies(
                ['REMOTE_ADDR'],
                Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO
            );
        }

        return parent::handle($request, $type, $catch);
    }
}

natepage avatar Sep 16 '25 09:09 natepage