1

I have just upgraded to Symfony 5.4 and i'm hitting a deprecation notice on my usage of the HEADER_X_FORWARDED_ALL constant.

trigger_deprecation('symfony/http-foundation', '5.2', 'The "HEADER_X_FORWARDED_ALL" constant is deprecated, use either "HEADER_X_FORWARDED_FOR | HEADER_X_FORWARDED_HOST | HEADER_X_FORWARDED_PORT | HEADER_X_FORWARDED_PROTO" or "HEADER_X_FORWARDED_AWS_ELB" or "HEADER_X_FORWARDED_TRAEFIK" constants instead.');

Up until now I have be calling setTrustedProxies with the following:

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_ALL);

What is the recommended approach for getting rid of this? I am looking at calling setTrustedProxies for each header, but i'm not sure if that's correct. There's nothing clear in the documentation around this.

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_FOR);
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_HOST);
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_PROTO);
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_PORT);
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_PREFIX);
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')), Request::HEADER_X_FORWARDED_AWS_ELB);

Is HEADER_X_FORWARDED_FOR enough? (I also have the application sitting behind an ELB).

crmpicco
  • 16,605
  • 26
  • 134
  • 210
  • This [PR](https://github.com/symfony/symfony/pull/38954) should have an answer for you hopefully – Chris Haas Feb 14 '23 at 04:36
  • @ChrisHaas Thanks for the link. `Request::HEADER_X_FORWARDED_FOR` doesn't cover everything, does it? – crmpicco Feb 14 '23 at 07:54
  • No, but there’s also HOST, PORT and PROTO, as well as two stack-specific ones, AWS_ELB and TRAEFIK. – Chris Haas Feb 14 '23 at 12:34
  • @ChrisHaas I'm not sure if calling `setTrustedProxies` multiple times will do what `_ALL` used to do... – crmpicco Feb 15 '23 at 09:01
  • I’d assume calling multiple times would override each time, it looks like you are supposed to OR (`|`) them together in a single call – Chris Haas Feb 15 '23 at 12:52
  • @ChrisHaas Oh, sorry. I misread that. I thought the `|` was options rather than the actual syntax. Thanks – crmpicco Feb 16 '23 at 09:01

0 Answers0