Feat: support for RR in Docker behind proxy in another Docker

[FluffyDiscord]

If RR is running inside Docker and we simply pass https requests from proxy (basicaly proxy manages certificates) to the RR instance as http, the parsed uri scheme in this bundle will always be in this case http and Symfony will now use invalid schema or add 443 port when generating URLs.

Checking if X-Forwarded-Proto is trusted header and making it priority in HttpFoundationWoker->configureServer() fixes this issue. To make the rest of Symfony proxy features work we also need to set REMOTE_ADDR to the X-Forwarded-For header, also only if its trusted.

This should be a non breaking change for everyone.

[Baldinof]

Did you tried the framework.trusted_proxies option, like here: https://symfony.com/doc/current/deployment/proxies.html

If the proxy is local, you should add 127.0.0.1.

I did it locally and it seems to work as expected:

$ curl http://localhost:8080/test -H 'x-forwarded-proto: https'
{"url":"https:\/\/localhost:8080\/home"}

$ curl http://localhost:8080/test
{"url":"http:\/\/localhost:8080\/home"}

[FluffyDiscord]

I did try, my framework.yaml looks like this (I was desperate):

framework:
    trusted_proxies: '127.0.0.1/8,REMOTE_ADDR,SERVER_NAME'
    trusted_headers: [ 'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port', 'x-forwarded-prefix' ]

That did not work, until I added changes in this PR.

Basically, my setup is like this: HTTPS Web > Nginx in Docker > HTTP to RR & Symfony in another Docker

[Baldinof]

By chance, would you be able to provide a reproducer repo?

[FluffyDiscord]

Not sure if entirely possible. I bumped into that issue after deploying to production - on real domain. The docker nginx proxy cannot generate/use self signed certificates to simulate it locally. You need to have live domain. If thats okay, I can probably create reproducer with docker-compose, tho you will need to deploy it somewhere yourself.

[Baldinof]

Yeah I have domains to test it :)

[yunicot]

@FluffyDiscord I had the similar problem and the problem was in "trusted_proxies" param

framework:
    trusted_proxies: '10.0.0.0/8,127.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
    trusted_headers: [ 'x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port' ]

For example, on local env I am using "nginx-proxy" docker image and it pass the ip 192.168.0.0/16
Did you try to check what you receive in REMOTE_ADDR?

Also, we are mapping the x-forwarded-* in nginx config for prod