@@ -175,8 +175,31 @@ handling the request::
175175 // ...
176176 $response = $kernel->handle($request);
177177
178+ Overriding Configuration Behind Hidden SSL Termination
179+ ------------------------------------------------------
180+
181+ Some cloud setups (like running a Docker container with the "Web App for Containers"
182+ in `Microsoft Azure `_) do SSL termination and contact your web server over HTTP, but
183+ do not change the remote address nor set the ``X-Forwarded-* `` headers. This means
184+ the trusted proxy feature of Symfony can't help you.
185+
186+ Once you made sure your server is only reachable through the cloud proxy over HTTPS
187+ and not through HTTP, you can override the information your web server sends to PHP.
188+ For Nginx, this could look like this:
189+
190+ .. code-block :: nginx
191+
192+ location ~ ^/index\.php$ {
193+ fastcgi_pass 127.0.0.1:9000;
194+ include fastcgi.conf;
195+ # Lie to Symfony about the protocol and port so that it generates the correct HTTPS URLs
196+ fastcgi_param SERVER_PORT "443";
197+ fastcgi_param HTTPS "on";
198+ }
199+
178200`security groups` : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
179201.. _`CloudFront` : https://en.wikipedia.org/wiki/Amazon_CloudFront
180202.. _`CloudFront IP ranges` : https://ip-ranges.amazonaws.com/ip-ranges.json
181203.. _`HTTP Host header attacks` : https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
182204.. _`nginx realip module` : https://nginx.org/en/docs/http/ngx_http_realip_module.html
205+ .. _`Microsoft Azure` : https://en.wikipedia.org/wiki/Microsoft_Azure
0 commit comments