Problem/Motivation
Symfony (and therefore Drupal 8) supports 5 different proxy headers:
https://github.com/symfony/http-foundation/blob/3.4/Request.php#L660
* * Request::HEADER_CLIENT_IP: defaults to X-Forwarded-For (see getClientIp())
* * Request::HEADER_CLIENT_HOST: defaults to X-Forwarded-Host (see getHost())
* * Request::HEADER_CLIENT_PORT: defaults to X-Forwarded-Port (see getPort())
* * Request::HEADER_CLIENT_PROTO: defaults to X-Forwarded-Proto (see getScheme() and isSecure())
* * Request::HEADER_FORWARDED: defaults to Forwarded (see RFC 7239)
By default, any and all of these are trusted.
In this context "trusted" means that \Symfony\Component\HttpFoundation\Request's "getter" methods will read values from the headers if they're present in the request.
Drupal has a setting which corresponds to the name of each of these headers, in order that they can be customised e.g. if a CDN uses a different name, e.g.:
https://cgit.drupalcode.org/drupal/tree/sites/default/default.settings.p...
/**
* Set this value if your proxy server sends the client IP in a header
* other than X-Forwarded-For.
*/
# $settings['reverse_proxy_header'] = 'X_CLUSTER_CLIENT_IP';
Symfony provides a way of disabling any of the headers that are not being used, and therefore should not be trusted:
https://github.com/symfony/http-foundation/blob/3.4/Request.php#L671
Setting an empty value allows to disable the trusted header for the given key.
This is also true of D8's settings for the header names; setting an empty value effectively tells Symfony to ignore that header, so that it is no longer "trusted".
However, this is not carried through into the D8 documentation yet.
Proposed resolution
The comments in default.settings.php should illustrate how to disable any proxy headers which are not in use, and therefore should not be "trusted" when determining the properties of an incoming request.
Remaining tasks
* Provide a patch for default.settings.php
* Review the patch.
* Commit the patch.
* Create follow-up issue to add more (functional?) tests for these headers: #3025077: Improve testing of Trusted Proxy Headers
User interface changes
None.
API changes
None.
Data model changes
None.
Release notes snippet
tbc (could possibly use some of the problem summary from above)