| Package Data | |
|---|---|
| Maintainer Username: | fideloper |
| Maintainer Contact: | fideloper@gmail.com (Chris Fidao) |
| Package Create Date: | 2013-04-30 |
| Package Last Update: | 2024-01-09 |
| Home Page: | |
| Language: | PHP |
| License: | MIT |
| Last Refreshed: | 2024-11-15 15:17:45 |
| Package Statistics | |
|---|---|
| Total Downloads: | 161,570,677 |
| Monthly Downloads: | 965,020 |
| Daily Downloads: | 46,389 |
| Total Stars: | 7,357 |
| Total Watchers: | 29 |
| Total Forks: | 126 |
| Total Open Issues: | 7 |
Please use tag 4.0+ for Laravel 5.6:
composer require fideloper/proxy:~4.0
TrustedProxy is still included with Laravel 5.6+. To configure for this version of Laravel, please see: https://laravel.com/docs/5.6/requests#configuring-trusted-proxies
TrustedProxy is now included with Laravel 5.5+. To configure for this version of Laravel, please see: https://laravel.com/docs/5.5/requests#configuring-trusted-proxies
Please use tag 3.0+ for Laravel 5.5:
composer require fideloper/proxy:~3.0
For Laravel versions 5.0 - 5.4, please continue below.
New features include:
X-Forwarded-* headers. See issue #9 and issue #7 for an example and discussion of that.To use this with Laravel 5, run the following from your Laravel 5 project directory:
composer require fideloper/proxy
Or of course, you can edit your composer.json file directly:
{
"require": {
"fideloper/proxy": "^3.3"
}
}
You can still use this package for Version 4 of Laravel. See the latest v2 tag of this repository, which is compatible with version 4 of Laravel.
Setting a trusted proxy allows for correct URL generation, redirecting, session handling and logging in Laravel when behind a proxy.
This is useful if your web servers sit behind a load balancer, HTTP cache, or other intermediary (reverse) proxy.
Install Trusted Proxy:
$ composer require fideloper/proxy
Add the Service Provider:
'providers' => array(
# other providers omitted
'Fideloper\Proxy\TrustedProxyServiceProvider',
);
Publish the package config file to config/trustedproxy.php:
$ php artisan vendor:publish --provider="Fideloper\Proxy\TrustedProxyServiceProvider"
Register the HTTP Middleware in file app/Http/Kernel.php:
protected $middleware = [
// Illuminate middlewares omitted for brevity
'Fideloper\Proxy\TrustProxies',
Then edit the published configuration file config/trustedproxy.php as needed.
The below will trust a proxy, such as a load balancer or web cache, at IP address 192.168.10.10:
<?php
return [
'proxies' => [
'192.168.10.10',
],
// These are defaults already set in the config:
'headers' => [
(defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => 'FORWARDED',
\Illuminate\Http\Request::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
\Illuminate\Http\Request::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
\Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
\Illuminate\Http\Request::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
]
];
Note: If you're using AWS Elastic Load Balancing or Heroku, the FORWARDED and X_FORWARDED_HOST headers should be set to null as they are currently unsupported there.
<?php
return [
'proxies' => [
'192.168.10.10',
],
// These are defaults already set in the config:
'headers' => [
(defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => null,
\Illuminate\Http\Request::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
\Illuminate\Http\Request::HEADER_CLIENT_HOST => null,
\Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
\Illuminate\Http\Request::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
]
];
If your site sits behind a load balancer, gateway cache or other "reverse proxy", each web request has the potential to appear to always come from that proxy, rather than the client actually making requests on your site.
To fix that, this package allows you to take advantage of Symfony's knowledge of proxies. See below for more explanation on the topic of "trusted proxies".
Installation is typical of a Laravel 5 package:
This package lives inside of Packagist and is therefore easily installable via Composer:
Method One:
$ composer require fideloper/proxy
Method Two:
{
"require": {
"fideloper/proxy": "^3.3"
}
}
Once that's added, run $ composer update to download the files.
If you want to develop on this, you'll need the dev dependencies, which you can get by adding the
--devflag to thecomposer requirecommand.
The next step to installation is to add the Service Provider.
Edit config/app.php and add the provided Service Provider:
'providers' => array(
# other providers omitted
Fideloper\Proxy\TrustedProxyServiceProvider::class,
);
This package expects the trustedproxy.php configuration file be available at /config/trustedproxy.php. You can do this by copying the package configuration file via the new Laravel 5 artisan command:
$ php artisan vendor:publish --provider="Fideloper\Proxy\TrustedProxyServiceProvider"
Once that's finished, there will be a new configuration file to edit at config/trustedproxy.php.
Edit app/Http/Kernel.php and add the provided Middleware:
protected $middleware = [
// Illuminate middlewares omitted for brevity
'Fideloper\Proxy\TrustProxies',
Edit the newly published config/trustedproxy.php:
<?php
return [
/*
* Set trusted proxy IP addresses.
*
* Both IPv4 and IPv6 addresses are
* supported, along with CIDR notation.
*
* The "*" character is syntactic sugar
* within TrustedProxy to trust any proxy
* that connects directly to your server,
* a requirement when you cannot know the address
* of your proxy (e.g. if using Rackspace balancers).
*
* The "**" character is syntactic sugar within
* TrustedProxy to trust not just any proxy that
* connects directly to your server, but also
* proxies that connect to those proxies, and all
* the way back until you reach the original source
* IP. It will mean that $request->getClientIp()
* always gets the originating client IP, no matter
* how many proxies that client's request has
* subsequently passed through.
*/
'proxies' => [
'192.168.1.10',
],
/*
* Or, to trust all proxies that connect
* directly to your server, uncomment this:
*/
# 'proxies' => '*',
/*
* Or, to trust ALL proxies, including those that
* are in a chain of forwarding, uncomment this:
*/
# 'proxies' => '**',
/*
* Default Header Names
*
* Change these if the proxy does
* not send the default header names.
*
* Note that headers such as X-Forwarded-For
* are transformed to HTTP_X_FORWARDED_FOR format.
*
* The following are Symfony defaults, found in
* \Symfony\Component\HttpFoundation\Request::$trustedHeaders
*
* You may optionally set headers to 'null' here if you'd like
* for them to be considered untrusted instead. Ex:
*
* Illuminate\Http\Request::HEADER_CLIENT_HOST => null,
*
* WARNING: If you're using AWS Elastic Load Balancing or Heroku,
* the FORWARDED and X_FORWARDED_HOST headers should be set to null
* as they are currently unsupported there.
*/
'headers' => [
(defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => 'FORWARDED',
Illuminate\Http\Request::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
Illuminate\Http\Request::HEADER_CLIENT_HOST => 'X_FORWARDED_HOST',
Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
Illuminate\Http\Request::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
]
];
In the example above, we are pretending we have a load balancer or other proxy which lives at 192.168.1.10.
Note: If you use Rackspace, Amazon AWS or other PaaS "cloud" services which provide load balancers, the IP address of the load balancer may not be known. This means that every IP address would need to be trusted.
In that case, you can set the 'proxies' variable to '*':
<?php
return [
'proxies' => '*',
];
Using * will tell Laravel to trust all IP addresses as a proxy.
However, if you are in the situation where, say, you have a Content Distribution Network (like Amazon CloudFront) that passes to load balancer (like Amazon ELB)
then you may end up with a chain of unknown proxies forwarding from one to another. In that case, '*' above would only match
the final proxy (the load balancer in this case) which means that calling $request->getClientIp() would return the IP address
of the next proxy in line (in this case one of the Content Distribution Network ips) rather than the original client IP.
To always get the original client IP, you need to trust all the proxies in the route to your request. You can do this by:
In that case, you can set the 'proxies' variable to '':**
<?php
return [
'proxies' => '**',
];
Which will trust every single IP address.
By default, the underlying Symfony Request class expects the following header names to be sent from a proxy:
Some proxies may send slightly different headers. In those cases, you can tell the Symfony Request class what those headers are named.
For example, HAProxy may send an X-Forwarded-Scheme header rather than X-Forwarded-Proto. We can adjust Laravel (Well Actually™, the Symfony HTTP Request class) to fix this with the following configuration:
<?php
return [
'headers' => [
Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_SCHEME',
]
];
And voilà, our application will now know what to do with the X-Forwarded-Scheme header.
Don't worry about the defaults being
IN_THIS_FORMAT, while we set the headersIn-This-Format. It all gets normalized under the hood. Symfony's HTTP classes are the bomb 💥.
Some services don't support specific headers, so you can also set these to null to untrust them. In particular, AWS ELB and Heroku don't support FORWARDED and X_FORWARDED_HOST so you should set these to null in order to prevent users from spoofing trusted IPs.
<?php
return [
'headers' => [
(defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => null,
\Illuminate\Http\Request::HEADER_CLIENT_IP => 'X_FORWARDED_FOR',
\Illuminate\Http\Request::HEADER_CLIENT_HOST => null,
\Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
\Illuminate\Http\Request::HEADER_CLIENT_PORT => 'X_FORWARDED_PORT',
]
];
Symfony will accept CIDR notation for configuring trusted proxies as well. This means you can set trusted proxies to address ranges such as 192.168.12.0/23.
Check that out here and here to see how that is implemented in Symfony.
If your site is behind a proxy such as a load balancer, your web application may have some of the following issues:
We can work around those issues by listening for the X-Forwarded-* headers. These headers are often added by proxies to let your web application know details about the originator of the request.
Common headers included are:
Laravel uses Symfony for handling Requests and Responses. These classes have the means to handle proxies. However, for security reasons, they must be informed of which proxies to "trust" before they will attempt to read the X-Forwarded-* headers.
Laravel does not have a simple configuration option for "trusting" proxies out of the box. This package simply provides one.
In order for Laravel to check for the forwarded IP address, schema/protocol and port, we need tell Laravel the IP addresses of our proxies, so the application knows to "trust" them. If it finds the IP address received is a trusted IP, it will look for the X-Forwarded-* headers. Otherwise, it will ignore.
If we do not tell Laravel what the IP address of our proxy (or proxies) is, it will ignore it for security reasons.
This Wiki page has a list of popular services and their IP addresses of their servers, if available. Any updates or suggestions are welcome!