On 17.11.2012 16:20, Thomas Lundquist wrote:
> On Tue, Nov 13, 2012 at 03:30:56PM -0800, Cameron Junge wrote:
>> While not a vulnerability, per se, it is something that all web developers
>> (PHP or otherwise) should be aware of.
>>
>> The summary is: The x-forwarded-for header should NEVER be trusted.
>
> That's true.
The whole trustProxy setting should not be removed IMO. On sites where I
run nginx + varnish I need this to be able to access the real IP.
Without that everything is 127.0.0.1.
The trick is in the first node of your setup to add the Client-IP header
manually using the remote address which at that point can not be forged
with headers.
In nginx it looks like this if you're proxying to varnish:
proxy_set_header Client-IP $remote_addr;
That way you get $_SERVER['HTTP_CLIENT_IP'] set to the real IP, and
Request::getClientIp() will return that before it checks
HTTP_X_FORWARDED_FOR, so all is well.
I don't particularly have any use for the X-Forwarded-For header, but in
some setups it might be useful for informational purposes. You shouldn't
make any trust/authorization decisions based on it though that's for sure.
Cheers
--
Jordi Boggiano
@seldaek - http://nelm.io/jordi
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en
