Ref: http://symfony.com/doc/current/book/security.html#securing-by-ip

the ESI route must be secured to be only visible from the trusted reverse proxy cache.

This is not possible if using the Symfony 2 Reverse proxy.

If you are implementing a situation exactly as in the above link, you cannot limit ESI calls to only be accessible to the S2 reverse proxy.

When making the ESI request, the client IP of the of the ESI request that Symfony2 formulates is the same as the original master request for the parent page. i.e the original client's IP address.