@@ -164,8 +164,31 @@ handling the request::
164164 // ...
165165 $response = $kernel->handle($request);
166166
167+ Overriding configuration behind hidden SSL termination
168+ ------------------------------------------------------
169+
170+ Some cloud setups (like running a Docker container with the "Web App for Containers"
171+ in `Microsoft Azure `_) do SSL termination and contact your web server over http, but
172+ do not change the remote address nor set the ``X-Forwarded-* `` headers. This means
173+ the trusted proxy funcationality of Symfony can't help you.
174+
175+ Once you made sure your server is only reachable through the cloud proxy over HTTPS
176+ and not through HTTP, you can override the information your web server sends to PHP.
177+ For Nginx, this could look like this:
178+
179+ .. code-block :: nginx
180+
181+ location ~ ^/index\.php$ {
182+ fastcgi_pass 127.0.0.1:9000;
183+ include fastcgi.conf;
184+ # Lie to symfony about the protocol and port so that it generates the correct https URLs
185+ fastcgi_param SERVER_PORT "443";
186+ fastcgi_param HTTPS "on";
187+ }
188+
167189`security groups` : https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
168190.. _`CloudFront` : https://en.wikipedia.org/wiki/Amazon_CloudFront
169191.. _`CloudFront IP ranges` : https://ip-ranges.amazonaws.com/ip-ranges.json
170192.. _`HTTP Host header attacks` : https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
171193.. _`nginx realip module` : https://nginx.org/en/docs/http/ngx_http_realip_module.html
194+ .. _`Microsoft Azure` : https://en.wikipedia.org/wiki/Microsoft_Azure
0 commit comments