Having some project which is updated from Symfony 5 to Symfony 6 we have realized that a certain constant is missing.
Old code:
// We always trust the connecting client to be a proxy (load balancer) as we're never exposed to the internet directly
Request::setTrustedProxies(['REMOTE_ADDR'], Request::HEADER_X_FORWARDED_ALL);
That constant was removed for a good reason, because it is insecure in certain scenarios (e.g. if the application is directly exposed to the internet). In many cases though - like in this one - there is some load balancer having a dynamic IP (not even a fixed IP range) in front of the application (here: Amazon AWS load balancers). For me it is hard to test that properly in a staging environment, maybe someone knows already what the best replacement for AWS ELB?
My first idea was to use just all the new constants:
// We always trust the connecting client to be a proxy (load balancer) as we're never exposed to the internet directly
Request::setTrustedProxies(['REMOTE_ADDR'],
Request::HEADER_X_FORWARDED_FOR
| Request::HEADER_X_FORWARDED_HOST
| Request::HEADER_X_FORWARDED_PORT
| Request::HEADER_X_FORWARDED_PROTO
| Request::HEADER_X_FORWARDED_AWS_ELB
| Request::HEADER_X_FORWARDED_PREFIX
| Request::HEADER_X_FORWARDED_TRAEFIK
);
Tried to do some research on the topic but I am not yet sure what the best replacement is. I am definitly sure it is not just Request::HEADER_X_FORWARDED_FOR as this caused troubles already. Also please note that Request::HEADER_X_FORWARDED_AWS_ELB did not solve the problem in this case (not sure why).