TrustedProxy icon indicating copy to clipboard operation
TrustedProxy copied to clipboard
verified publisher icon fideloper

⚠️ ➡️➡️➡️ Laravel 9 issues: Read this before making an issue ⬅️⬅️⬅️

Open fideloper opened this issue 3 years ago • 18 comments

Laravel 9 has incorporated this package into the core of Laravel.

See the upgrade guide here: https://laravel.com/docs/9.x/upgrade, search for Trusted Proxies

image

fideloper avatar Feb 09 '22 13:02 fideloper

Thank you for this update. Very informative.

Frank-Landry avatar Feb 11 '22 03:02 Frank-Landry

Cheers, should have moved this higher up in the Upgrade :D

svpernova09 avatar Feb 11 '22 16:02 svpernova09

Hey @fideloper thanks for the update. While no longer directly related to your package maybe since you have knowledge of this middleware you can help.

<?php

namespace App\Http\Middleware;

use Illuminate\Http\Middleware\TrustProxies as Middleware;
use Illuminate\Http\Request;

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array
     */
    protected $proxies = '*';

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_FOR |
        Request::HEADER_X_FORWARDED_HOST |
        Request::HEADER_X_FORWARDED_PORT |
        Request::HEADER_X_FORWARDED_PROTO |
        Request::HEADER_X_FORWARDED_AWS_ELB;
}

Now on Laravel 9 my site has issues with Cloudflare. Yet was perfectly fine on Laravel 8 with your middleware using the Request::HEADER_X_FORWARDED_ALL

Any ideas?

HDVinnie avatar Feb 11 '22 19:02 HDVinnie

@HDVinnie I'm not really sure! What I would suggest doing is creating a test route that dumps out $_SERVER so you can see exactly what PHP is seeing when run behind CloudFlare. The HTTP_XXX values in that global array will correspond to the HTTP headers that PHP sees, which can help determine if an unknown/different header is being used.

fideloper avatar Feb 11 '22 19:02 fideloper 

  "HTTP_CF_VISITOR" => "{"scheme":"https"}"
  "HTTP_X_FORWARDED_PROTO" => "https"
  "HTTP_CF_RAY" => "6dc02fb14ce11879-EWR"
  "HTTP_X_FORWARDED_FOR" => "2601:89:c701:b170:a1cf:2935:de76:e192"
  "HTTP_CF_IPCOUNTRY" => "US"
  "HTTP_ACCEPT_ENCODING" => "gzip"
  "HTTP_CF_CONNECTING_IP" => "2601:89:c701:b170:a1cf:2935:de76:e192"
  "HTTP_CDN_LOOP" => "cloudflare"
  "HTTP_HOST" => "demo.org"

Thanks for the tip....ill have to research some more.

HDVinnie avatar Feb 11 '22 20:02 HDVinnie

@HDVinnie the hostname demo.org seems suspect, right? I'm also not entirely sure how IPv6 is handled vs ipv4.

What IP do you see under REMOTE_ADDR ?

https://github.com/laravel/framework/blob/63ca843643e86fb69efc901051ae079c89a7fd09/src/Illuminate/Http/Middleware/TrustProxies.php#L85

fideloper avatar Feb 11 '22 20:02 fideloper

Thanks, it helped a lot.

rafaelqm avatar Feb 16 '22 14:02 rafaelqm

@fideloper the config has been updated on the master but not been tagged yet, can this be done as that it still referencing Illuminate\Http\Request::HEADER_X_FORWARDED_ALL.

Sladewill avatar Jun 07 '22 11:06 Sladewill

@Sladewill I'm not sure what you mean! In Laravel 9, this project has been pulled into the core of Laravel. This package therefore isn't needed. Am I missing what you mean?

fideloper avatar Jun 08 '22 17:06 fideloper

If your using this package with any other symfony or laravel components, without using Laravels core then you may still need to use this package.

For us specifically we have a common package which includes this as we have lots of customer projects ranging from laravel 5-9 which cannot be updated, which caused some issues as this automatically gets activated within Laravel 9.

Sladewill avatar Jun 09 '22 10:06 Sladewill

As per @Sladewill's request, please tag a new release that supports using this package independently with Laravel v9 🙏

mattsims avatar Jul 12 '22 10:07 mattsims

I don't have time to maintain this anymore, so while I can tag this for you, you can also just implement it yourself. It's almost literally just adding a middleware that runs:

// Trust all:
$request->setTrustedProxies(
    [$request->server->get('REMOTE_ADDR')], 
    Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_PREFIX | Request::HEADER_X_FORWARDED_AWS_ELB);

// Trust specific proxies
$request->setTrustedProxies(
    ['191.168.1.2'], 
    Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_X_FORWARDED_PREFIX | Request::HEADER_X_FORWARDED_AWS_ELB);

fideloper avatar Jul 12 '22 14:07 fideloper

As per @Sladewill's request, please tag a new release that supports using this package independently with Laravel v9

I actually don't understand how I could accomplish this. I'd have to remove dependencies on something here?

image

I think you'd be better off forking this or making your own implementation. It's a super small bit of functionality.

Basically: I don't have time, but PR's welcome. (Sorry, that's not a great answer but it's all I have time for right now!)

fideloper avatar Jul 12 '22 14:07 fideloper

Made another release: https://github.com/fideloper/TrustedProxy/releases/tag/4.4.2

Let me know if you hit issues!

fideloper avatar Jul 16 '22 18:07 fideloper

see under Trusted Proxies section https://laravel.com/docs/9.x/upgrade

najathi avatar Nov 01 '22 10:11 najathi

thanks.

Abdallah-SE avatar Jun 04 '23 19:06 Abdallah-SE

Thanks for the information! I'm trying to update an old Laravel and the information has been very useful for me.❤❤

InfaSysKey avatar Jul 13 '24 13:07 InfaSysKey