Configuring a Trusted Proxy

If your web servers sit behind a load balancer, HTTP cache, or other intermediary (reverse) proxy, SupportPal requires some additional configuration. For security reasons, the software must be informed of which proxies to "trust" before it will attempt to read the X-FORWARDED-* headers.

Contents

Proxy Configuration

By default SupportPal expects following header to be sent from the proxy. If your proxy sends slightly different headers, the configuration file can be adjusted to suit your requirements (more details further down).

Header Description
X-Forwarded-For The IP address of the client.
X-Forwarded-Host The hostname used to access the site in the browser.
X-Forwarded-Proto The schema/protocol (http/https) used by the client.
X-Forwarded-Port The port used by the client (typically 80 or 443).

Example nginx Configuration

If you're using nginx as a reverse proxy, please find the below example configuration for forwarding headers:


    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;

Configuration

Create a new file /config/production/trustedproxy.php:

/config/production/trustedproxy.php

    <?php

    return [

        /*
         * Set trusted proxy IP addresses.
         *
         * Both IPv4 and IPv6 addresses are
         * supported, along with CIDR notation.
         *
         * The "*" character is syntactic sugar
         * within TrustedProxy to trust any proxy;
         * a requirement when you cannot know the address
         * of your proxy (e.g. if using Rackspace balancers).
         */
        'proxies' => [
            '192.168.1.10',
        ],

        /*
         * Default Header Names
         *
         * Change these if the proxy does
         * not send the default header names.
         *
         * Note that headers such as X-Forwarded-For
         * are transformed to HTTP_X_FORWARDED_FOR format.
         *
         * The following are Symfony defaults, found in
         * \Symfony\Component\HttpFoundation\Request::$trustedHeaders
         */
        'headers' => [
            \Illuminate\Http\Request::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
            \Illuminate\Http\Request::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
            \Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
            \Illuminate\Http\Request::HEADER_CLIENT_PORT  => 'X_FORWARDED_PORT',
        ]
    ];

In this example, we tell SupportPal to "trust" a proxy with IP address 192.168.1.10. If you use multiple IP addresses, these can be specified using a comma delimited list: '192.168.1.10', '192.168.1.11', '192.168.1.12'

Alternatively, if you're using a cloud-based service the IP address is typically dynamic. To "trust" any IP address:


    <?php

    return [

        'proxies' => '*',

    ];

Changing the default X-FORWARDED-* headers

The default headers are configured under the 'headers' element on the configuration file. If your proxy sends different headers, the defaults can be changed. For example, HAProxy may send an X-FORWARD-SCHEME header rather than the X-FORWARDED-PROTO:


    <?php

    return [

        'headers' => [
            Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_SCHEME',
        ]

    ];