[Security] Not possible to restrict ESI routes to only the Symfony 2 reverse proxy. #6982
Comments
|
Oh I think it's a quite annoying bug, this means HttpCache is currently broken, I can see some code in here : https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/EventListener/FragmentListener.php#L73 Which IIUC throws a 403 when the client requesting a fragment (such an esi) isn't on the same machine or on the trusted IPs list. You can't see the bug when you develop because usually your webserver is localhost. IMO HttpCache should act as a real reverse proxy, switch REMOTE_ADDR to 127.0.0.1 and add the real one to the X_Forwarded_For chain. |
This was referenced Feb 7, 2013
|
This should be tagged as critical and 2.2 blocker. |
|
@fabpot any thoughts? |
|
I've just submitted a PR to fix that issue, see #7034 |
fabpot
added a commit
to fabpot/symfony
that referenced
this issue
Feb 11, 2013
fabpot
added a commit
that referenced
this issue
Feb 11, 2013
fabpot
added a commit
that referenced
this issue
Feb 11, 2013
This PR was submitted for the 2.2 branch but it was merged into the 2.1 branch instead (closes #7034). Commits ------- 1fdded5 [HttpKernel] added support for the X-Forwarded-For header (closes #6982, closes #7000) be65d7c [HttpKernel] fixed the IP address in HttpCache when calling the backend Discussion ---------- Make HttpCache behaves more like a real reverse proxy | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #6982, #7000 | License | MIT | Doc PR | n/a --------------------------------------------------------------------------- by bendavies at 2013-02-10T00:55:29Z Awesome, thanks Fabien. should this not target 2.0/2.1?
|
wonderful! |
fabpot
added a commit
that referenced
this issue
Feb 11, 2013
* 2.1: added support for the X-Forwarded-For header (closes #6982, closes #7000) fixed the IP address in HttpCache when calling the backend [EventDispatcher] Added assertion. [EventDispathcer] Fix removeListener [DependencyInjection] Add clone for resources which were introduced in 2.1 [DependencyInjection] Allow frozen containers to be dumped to graphviz Fix 'undefined index' error, when entering scope recursively [Security] fixed session creation on login (closes #7011) Add dot character `.` to legal mime subtype regular expression [HttpFoundation] fixed the creation of sub-requests under some circumstancies (closes #6923, closes #6936)
fabpot
added a commit
that referenced
this issue
Feb 11, 2013
* 2.2: Fixed XmlFileLoaderTest::testLoadThrowsExceptionWithInvalidFileEvenWithoutSchemaValidation moved file hash calculation to own method [Validator] Add check for existing metadata on property added support for the X-Forwarded-For header (closes #6982, closes #7000) fixed the IP address in HttpCache when calling the backend [EventDispatcher] Added assertion. [EventDispathcer] Fix removeListener [DependencyInjection] Add clone for resources which were introduced in 2.1 [DependencyInjection] Allow frozen containers to be dumped to graphviz Fix 'undefined index' error, when entering scope recursively [Security] fixed session creation on login (closes #7011) replaced usage of the deprecated pattern routing key (replaced with path) Add dot character `.` to legal mime subtype regular expression [HttpFoundation] fixed the creation of sub-requests under some circumstancies (closes #6923, closes #6936)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ref: http://symfony.com/doc/current/book/security.html#securing-by-ip
This is not possible if using the Symfony 2 Reverse proxy.
If you are implementing a situation exactly as in the above link, you cannot limit ESI calls to only be accessible to the S2 reverse proxy.
When making the ESI request, the client IP of the of the ESI request that Symfony2 formulates is the same as the original master request for the parent page. i.e the original client's IP address.
The text was updated successfully, but these errors were encountered: