Loading core/assets/scaffold/files/default.settings.php +11 −5 Original line number Diff line number Diff line Loading @@ -385,17 +385,20 @@ * Sets which headers to trust from your reverse proxy. * * Common values are: * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * * Note the default value of * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @endcode * is not secure by default. The value should be set to only the specific * headers the reverse proxy uses. For example: * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @endcode * This would trust the following headers: * - X_FORWARDED_FOR Loading @@ -403,11 +406,14 @@ * - X_FORWARDED_PROTO * - X_FORWARDED_PORT * * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies */ # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; /** Loading core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php +1 −1 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ public static function setSettingsOnRequest(Request $request, Settings $settings if (count($proxies) > 0) { // Set the default value. This is the most relaxed setting possible and // not recommended for production. $trusted_header_set = Request::HEADER_X_FORWARDED_ALL | Request::HEADER_FORWARDED; $trusted_header_set = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_FORWARDED; $request::setTrustedProxies( $proxies, Loading core/tests/Drupal/Tests/Core/StackMiddleware/ReverseProxyMiddlewareTest.php +1 −1 Original line number Diff line number Diff line Loading @@ -63,7 +63,7 @@ public function reverseProxyEnabledProvider() { return [ 'Proxy with default trusted headers' => [ ['reverse_proxy_addresses' => ['127.0.0.2', '127.0.0.3']], Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_ALL, Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO, ], 'Proxy with AWS trusted headers' => [ [ Loading sites/default/default.settings.php +11 −5 Original line number Diff line number Diff line Loading @@ -385,17 +385,20 @@ * Sets which headers to trust from your reverse proxy. * * Common values are: * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * * Note the default value of * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @endcode * is not secure by default. The value should be set to only the specific * headers the reverse proxy uses. For example: * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @endcode * This would trust the following headers: * - X_FORWARDED_FOR Loading @@ -403,11 +406,14 @@ * - X_FORWARDED_PROTO * - X_FORWARDED_PORT * * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies */ # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; /** Loading Loading
core/assets/scaffold/files/default.settings.php +11 −5 Original line number Diff line number Diff line Loading @@ -385,17 +385,20 @@ * Sets which headers to trust from your reverse proxy. * * Common values are: * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * * Note the default value of * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @endcode * is not secure by default. The value should be set to only the specific * headers the reverse proxy uses. For example: * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @endcode * This would trust the following headers: * - X_FORWARDED_FOR Loading @@ -403,11 +406,14 @@ * - X_FORWARDED_PROTO * - X_FORWARDED_PORT * * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies */ # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; /** Loading
core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php +1 −1 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ public static function setSettingsOnRequest(Request $request, Settings $settings if (count($proxies) > 0) { // Set the default value. This is the most relaxed setting possible and // not recommended for production. $trusted_header_set = Request::HEADER_X_FORWARDED_ALL | Request::HEADER_FORWARDED; $trusted_header_set = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO | Request::HEADER_FORWARDED; $request::setTrustedProxies( $proxies, Loading
core/tests/Drupal/Tests/Core/StackMiddleware/ReverseProxyMiddlewareTest.php +1 −1 Original line number Diff line number Diff line Loading @@ -63,7 +63,7 @@ public function reverseProxyEnabledProvider() { return [ 'Proxy with default trusted headers' => [ ['reverse_proxy_addresses' => ['127.0.0.2', '127.0.0.3']], Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_ALL, Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO, ], 'Proxy with AWS trusted headers' => [ [ Loading
sites/default/default.settings.php +11 −5 Original line number Diff line number Diff line Loading @@ -385,17 +385,20 @@ * Sets which headers to trust from your reverse proxy. * * Common values are: * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * - \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * - \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * * Note the default value of * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @endcode * is not secure by default. The value should be set to only the specific * headers the reverse proxy uses. For example: * @code * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @endcode * This would trust the following headers: * - X_FORWARDED_FOR Loading @@ -403,11 +406,14 @@ * - X_FORWARDED_PROTO * - X_FORWARDED_PORT * * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT * @see \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO * @see \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED * @see \Symfony\Component\HttpFoundation\Request::setTrustedProxies */ # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; # $settings['reverse_proxy_trusted_headers'] = \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_FOR | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_HOST | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PORT | \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_PROTO | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED; /** Loading
