From b1a199d5aae622f713cf89521875f26af1ac2b62 Mon Sep 17 00:00:00 2001 From: Vidar Langseid Date: Wed, 14 Jan 2026 13:38:57 +0100 Subject: [PATCH 1/3] IBX-11181: Trusted Proxies is not set on Ibexa Cloud --- .../TrustedHeaderClientIpEventSubscriber.php | 33 ++----------------- src/bundle/Core/Resources/config/services.yml | 2 -- 2 files changed, 2 insertions(+), 33 deletions(-) diff --git a/src/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriber.php b/src/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriber.php index cff112d523..857f3226b6 100644 --- a/src/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriber.php +++ b/src/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriber.php @@ -15,16 +15,6 @@ final class TrustedHeaderClientIpEventSubscriber implements EventSubscriberInterface { - private const PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP = 'X-Client-IP'; - - private ?string $trustedHeaderName; - - public function __construct( - ?string $trustedHeaderName - ) { - $this->trustedHeaderName = $trustedHeaderName; - } - public static function getSubscribedEvents(): array { return [ @@ -36,28 +26,9 @@ public function onKernelRequest(RequestEvent $event): void { $request = $event->getRequest(); - $trustedProxies = Request::getTrustedProxies(); - $trustedHeaderSet = Request::getTrustedHeaderSet(); - - $trustedHeaderName = $this->trustedHeaderName; - if (null === $trustedHeaderName && $this->isPlatformShProxy($request)) { - $trustedHeaderName = self::PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP; + if ($this->isPlatformShProxy($request) && $request->headers->get('Client-Cdn') === 'fastly') { + Request::setTrustedProxies(['REMOTE_ADDR'], Request::getTrustedHeaderSet()); } - - if (null === $trustedHeaderName) { - return; - } - - $trustedClientIp = $request->headers->get($trustedHeaderName); - - if (null !== $trustedClientIp) { - if ($trustedHeaderSet !== -1) { - $trustedHeaderSet |= Request::HEADER_X_FORWARDED_FOR; - } - $request->headers->set('X_FORWARDED_FOR', $trustedClientIp); - } - - Request::setTrustedProxies($trustedProxies, $trustedHeaderSet); } private function isPlatformShProxy(Request $request): bool diff --git a/src/bundle/Core/Resources/config/services.yml b/src/bundle/Core/Resources/config/services.yml index 166b1940cc..09d1b5c8ff 100644 --- a/src/bundle/Core/Resources/config/services.yml +++ b/src/bundle/Core/Resources/config/services.yml @@ -312,8 +312,6 @@ services: $cache: '@ibexa.cache_pool' Ibexa\Bundle\Core\EventSubscriber\TrustedHeaderClientIpEventSubscriber: - arguments: - $trustedHeaderName: '%ibexa.trusted_header_client_ip_name%' tags: - {name: kernel.event_subscriber} From c7704dafb095c862bf0886d40850ea6a37d761c1 Mon Sep 17 00:00:00 2001 From: Vidar Langseid Date: Mon, 19 Jan 2026 14:25:35 +0100 Subject: [PATCH 2/3] Fixed tests --- ...ustedHeaderClientIpEventSubscriberTest.php | 113 +++--------------- 1 file changed, 19 insertions(+), 94 deletions(-) diff --git a/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php b/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php index 55446a653d..10ba846463 100644 --- a/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php +++ b/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php @@ -19,16 +19,8 @@ final class TrustedHeaderClientIpEventSubscriberTest extends TestCase { - private const PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP = 'X-Client-IP'; - private ?string $originalRemoteAddr; - private const PROXY_IP = '127.100.100.1'; - - private const REAL_CLIENT_IP = '98.76.123.234'; - - private const CUSTOM_CLIENT_IP = '234.123.78.98'; - /** * @param array $data */ @@ -53,114 +45,47 @@ protected function tearDown(): void public function getTrustedHeaderEventSubscriberTestData(): array { return [ - 'default behaviour' => [ - self::REAL_CLIENT_IP, - self::REAL_CLIENT_IP, + 'request from random client received on non-Upsun platform' => [ + false, + [], + [], ], - 'use custom header name with valid value' => [ - self::REAL_CLIENT_IP, - self::PROXY_IP, - 'X-Custom-Header', - ['X-Custom-Header' => self::REAL_CLIENT_IP], - ], - 'use custom header name without valid value' => [ - self::PROXY_IP, - self::PROXY_IP, - 'X-Custom-Header', - ], - 'use custom header value without custom header name' => [ - self::PROXY_IP, - self::PROXY_IP, - null, - ['X-Custom-Header' => self::REAL_CLIENT_IP], - ], - 'default platform.sh behaviour' => [ - self::REAL_CLIENT_IP, - self::PROXY_IP, - null, - ['X-Client-IP' => self::REAL_CLIENT_IP], - ['PLATFORM_RELATIONSHIPS' => true], + 'request from random client, forging Client-Cdn received on non-Upsun platform' => [ + false, + ['Client-Cdn' => 'fastly'], + [], ], - 'use custom header name without valid value on platform.sh' => [ - self::PROXY_IP, - self::PROXY_IP, - 'X-Custom-Header', - [self::PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP => self::REAL_CLIENT_IP], + 'request from random client received on Upsun platform' => [ + false, + [], ['PLATFORM_RELATIONSHIPS' => true], ], - 'use custom header with valid value on platform.sh' => [ - self::CUSTOM_CLIENT_IP, - self::PROXY_IP, - 'X-Custom-Header', - [ - self::PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP => self::REAL_CLIENT_IP, - 'X-Custom-Header' => self::CUSTOM_CLIENT_IP, - ], - ['PLATFORM_RELATIONSHIPS' => true], - ], - 'use valid value without custom header name on platform.sh' => [ - self::REAL_CLIENT_IP, - self::PROXY_IP, - null, - [ - self::PLATFORM_SH_TRUSTED_HEADER_CLIENT_IP => self::REAL_CLIENT_IP, - 'X-Custom-Header' => self::CUSTOM_CLIENT_IP, - ], + 'request via Fastly received on Upsun platform' => [ + true, + ['Client-Cdn' => 'fastly'], ['PLATFORM_RELATIONSHIPS' => true], ], ]; } - public function testTrustedHeaderEventSubscriberWithoutTrustedProxy(): void - { - $_SERVER['REMOTE_ADDR'] = self::PROXY_IP; - - $eventDispatcher = new EventDispatcher(); - $eventDispatcher->addSubscriber( - new TrustedHeaderClientIpEventSubscriber('X-Custom-Header') - ); - - $request = Request::create('/', 'GET', [], [], [], array_merge( - $_SERVER, - ['PLATFORM_RELATIONSHIPS' => true], - )); - $request->headers->add([ - 'X-Custom-Header' => self::REAL_CLIENT_IP, - ]); - - $event = $eventDispatcher->dispatch(new RequestEvent( - self::createMock(KernelInterface::class), - $request, - HttpKernelInterface::MAIN_REQUEST - ), KernelEvents::REQUEST); - - /** @var \Symfony\Component\HttpFoundation\Request $request */ - $request = $event->getRequest(); - - self::assertEquals(self::PROXY_IP, $request->getClientIp()); - } - /** * @dataProvider getTrustedHeaderEventSubscriberTestData */ public function testTrustedHeaderEventSubscriberWithTrustedProxy( - string $expectedIp, - string $remoteAddrIp, - ?string $trustedHeaderName = null, + bool $isFromTrustedProxy, array $headers = [], array $server = [] ): void { - $_SERVER['REMOTE_ADDR'] = $remoteAddrIp; - Request::setTrustedProxies(['REMOTE_ADDR'], Request::getTrustedHeaderSet()); + $_SERVER['REMOTE_ADDR'] = '1.2.3.4'; $eventDispatcher = new EventDispatcher(); $eventDispatcher->addSubscriber( - new TrustedHeaderClientIpEventSubscriber($trustedHeaderName) + new TrustedHeaderClientIpEventSubscriber() ); $request = Request::create('/', 'GET', [], [], [], array_merge( $server, - ['REMOTE_ADDR' => $remoteAddrIp], + ['REMOTE_ADDR' => '1.2.3.4'], )); $request->headers->add($headers); @@ -173,6 +98,6 @@ public function testTrustedHeaderEventSubscriberWithTrustedProxy( /** @var \Symfony\Component\HttpFoundation\Request $request */ $request = $event->getRequest(); - self::assertEquals($expectedIp, $request->getClientIp()); + self::assertEquals($isFromTrustedProxy, $request->isFromTrustedProxy()); } } From ec3cba030cead943ae321eb3d8b250e6cc6024fa Mon Sep 17 00:00:00 2001 From: Vidar Langseid Date: Mon, 19 Jan 2026 15:47:51 +0100 Subject: [PATCH 3/3] fixup! Fixed tests --- .../TrustedHeaderClientIpEventSubscriberTest.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php b/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php index 10ba846463..14299a8c23 100644 --- a/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php +++ b/tests/bundle/Core/EventSubscriber/TrustedHeaderClientIpEventSubscriberTest.php @@ -21,6 +21,8 @@ final class TrustedHeaderClientIpEventSubscriberTest extends TestCase { private ?string $originalRemoteAddr; + private const REAL_CLIENT_IP = '98.76.123.234'; + /** * @param array $data */ @@ -76,7 +78,7 @@ public function testTrustedHeaderEventSubscriberWithTrustedProxy( array $headers = [], array $server = [] ): void { - $_SERVER['REMOTE_ADDR'] = '1.2.3.4'; + $_SERVER['REMOTE_ADDR'] = self::REAL_CLIENT_IP; $eventDispatcher = new EventDispatcher(); $eventDispatcher->addSubscriber( @@ -85,7 +87,7 @@ public function testTrustedHeaderEventSubscriberWithTrustedProxy( $request = Request::create('/', 'GET', [], [], [], array_merge( $server, - ['REMOTE_ADDR' => '1.2.3.4'], + ['REMOTE_ADDR' => self::REAL_CLIENT_IP], )); $request->headers->add($headers);