[Symfony 4] Drupal\Core\StackMiddleware\ReverseProxyMiddleware calls Symfony\Component\HttpFoundation\Request::setTrustedHeaderName() which does not exist

Problem/Motivation

Found in #2976394: Investigate problems with Symfony 4 now , although Drupal\Tests\Core\StackMiddleware\ReverseProxyMiddlewareTest has an @expectedDeprecation The "Symfony\Component\HttpFoundation\Request::setTrustedHeaderName()" method is deprecated since Symfony 3.3 and will be removed in 4.0. Use the $trustedHeaderSet argument of the Request::setTrustedProxies() method instead., that does not help once updated to Symfony 4 since the method is actually, effectively, absolutely not there anymore.

Proposed resolution

Do a proper deprecation of how custom header settings and replace using a new reverse_proxy_trusted_headers setting instead.

Support for the following settings in deprecated in Drupal 8:

• reverse_proxy_header
• reverse_proxy_proto_header
• reverse_proxy_host_header
• reverse_proxy_port_heade
• reverse_proxy_forwarded_header

In Drupal 8 these could be set to custom header names if used by your reverse proxy. Support for this will be dropped in Drupal 9.

Additionally you could set each value to NULL to indicate that the corresponding header was not to be trusted. In Drupal 8.7.0 a new setting has been added to control this reverse_proxy_trusted_headers.

Before

$settings['reverse_proxy_host_header'] = NULL
$settings['reverse_proxy_forwarded_header'] = NULL;

After

$settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | 
\Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT;

OR

$settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_AWS_ELB

Note the default value for $settings['reverse_proxy_trusted_headers'] is \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED. This value is the most permissive and does not make much sense as reverse proxies do not use both "X-Forwarded-*" headers and "Forwarded" header. Therefore it is recommended to set a value.

Remaining tasks

Do it.

User interface changes

None.

API changes

Don't know yet. Hopefully none.

Data model changes

None.

Release notes snippet

N/A.