jdavidbakr / cloudfront-proxies
Sets proxy settings for Cloudfront in a Laravel project
Maintainers
Requires
- guzzlehttp/guzzle: ^6.3|^7.0
- illuminate/support: 5.6.*|5.7.*|5.8.*|6.*|7.*|8.*|^9.0|^10.0|^11.0|^12.0|^13.0
Requires (Dev)
- mockery/mockery: ~1.0
- orchestra/testbench: ~3.0|~4.0|~5.0|~6.0|^7.0|^8.0|^9.0|^10.0|^11.0
- phpunit/phpunit: ~7.0|~8.0|^9.0|^10.5|^11.5.3|^12.5.12
README
Purpose
One of the great things about putting your application behind a load balancer or CDN is that you can terminate your TLS there, and make the requests to your application via http. The problem with this, though, is that your application is not aware of the protocol with which it is being accessed. This will cause a problem with Laravel's URL generation tools, as the assets will be prefixed with http.
Laravel takes care of this nicely by using the TrustedProxies package, which allows you to define what IP addresses and what headers you want to use to convert the incoming request to the IP address and protocol of the originating request.
This was all wonderful, until Laravel 5.6 came out. This version of Laravel uses Symfony version 4, which no longer exposes the header you want to use to determine the protocol. Not a problem, you say, because you can use the X-Forwarded headers? It wouldn't be a problem, except for the fact that CloudFront uses a special header Cloudfront-Forwarded-Proto - and so now there is not a simple solution to set the protocol.
Further, you probably don't want to expose all IP addresses to your trusted proxy settings - ideally we should only use CloudFront IP addresses for our trusted proxies.
The solution
This package contains a simple middleware that does two very important tasks:
- Downloads the CloudFront IPv4 and IPv6 addresses into the trusted proxy IP addresses. This is cached according to your cache settings for one hour, so you are not making this call on every request.
- Adds the
X-Forwarded-Protoheader to your requests based on theCloudfront-Forwarded-Protovalue. This helps Symfony behave as if the original headers were what it needed in the first place.
This middleware only fires for requests that look like they came from CloudFront. It checks for any of the following headers:
Cloudfront-Forwarded-ProtoCloudfront-Forwarded-PortCloudfront-Viewer-AddressX-Amz-Cf-Id
So it is ignored if you are using other load balancers or accessing the server directly.
Usage
To use, simply install via composer:
composer require jdavidbakr/cloudfront-proxies
Then add the middleware to your kernel after the TrustProxies middleware:
\App\Http\Middleware\TrustProxies::class,
\jdavidbakr\CloudfrontProxies\CloudfrontProxies::class,
If you desire, you may publish the config file to give you access to some options:
php artisan vendor:publish
This will publish a cloudfront-proxies.php config file that you may edit.
By default, this package maps the parsed Cloudfront-Viewer-Address IP into X-Forwarded-For, so Laravel/Symfony Request::getClientIp() (or Request::clientIp()) resolves to the viewer IP when behind CloudFront.
You do not need to set viewer-address-attribute for getClientIp() to work.
viewer-address-attribute is only an optional extra request attribute if you want to read the parsed viewer IP directly from request attributes:
// config/cloudfront-proxies.php 'viewer-address-attribute' => 'cloudfront_viewer_ip',
By default, this optional attribute is disabled (null).
If you want to disable that behavior:
// config/cloudfront-proxies.php 'viewer-address-to-forwarded-for' => false,
And everything should be good to go from here.