Description
Symfony version(s) affected
7.3.0
Description
Hi Symfony team,
I’m running a Symfony application on Clever Cloud, following their documentation for configuring trusted proxies.
During performance testing using k6 and Blackfire, I noticed that a significant portion of each HTTP request (~20%) is spent in IP validation logic, specifically in the following functions:
Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest()Symfony\Component\HttpFoundation\Request::isFromTrustedProxy()Symfony\Component\HttpFoundation\IpUtils::checkIp() / checkIp4()
In particular, the function checkIp4() was called 978 times for a single request, which seems excessive.
Upon investigating, I found that the application is behind a large number of IPs defined via the $_SERVER['TRUSTED_PROXIES'] env var (populated from Clever Cloud's CC_REVERSE_PROXY_IPS), which contains 619 IPs.
This causes Symfony to loop through all IPs for each request to validate whether the client IP is trusted or not. While the logic is technically correct, the performance impact is considerable.
🔍 Related code paths
ValidateRequestListenerRequest::isFromTrustedProxy()Request::isFromTrustedProxyIp()IpUtils::checkIp4()
📊 Blackfire profile
💡 Suggestions / Possible improvements
- Could we optimize the
isFromTrustedProxy()logic for cases where there are hundreds of trusted proxies? - Would it be possible to use an other data structure for faster check?
- Alternatively, would it make sense to cache the resolved trusted proxy status per request?
Thanks in advance for your help!
I’m happy to help test or prototype any suggested improvements.
How to reproduce
Setting a big number of trusted proxies IPs.
Possible Solution
No response
Additional Context
No response