From cbf75f64e83985b0028d83ceeadb8956ca653b30 Mon Sep 17 00:00:00 2001 From: Nyholm Date: Wed, 11 Mar 2020 14:24:13 +0100 Subject: [PATCH 1/2] Use Trusted proxies --- Symfony/assets/public/index.php | 8 ++++---- Symfony/assets/serverless.yml | 1 + Symfony/binary/public/index.php | 8 ++++---- Symfony/binary/serverless.yml | 1 + Symfony/sqs/public/index.php | 8 ++++---- Symfony/sqs/serverless.yml | 1 + 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/Symfony/assets/public/index.php b/Symfony/assets/public/index.php index 4cab747..0a40931 100644 --- a/Symfony/assets/public/index.php +++ b/Symfony/assets/public/index.php @@ -20,12 +20,12 @@ Request::setTrustedHosts([$trustedHosts]); } +// Get user IP: +$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); +$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; + $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals(); - -// Trust all headers for everyone. This is extremely dangerous. But it fine if the code runs on Lambda thanks to AWs security. -Request::setTrustedProxies(['127.0.0.1', $request->server->get('REMOTE_ADDR')], Request::HEADER_X_FORWARDED_ALL); - $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response); diff --git a/Symfony/assets/serverless.yml b/Symfony/assets/serverless.yml index 087b24b..3d78928 100644 --- a/Symfony/assets/serverless.yml +++ b/Symfony/assets/serverless.yml @@ -9,6 +9,7 @@ provider: runtime: provided environment: APP_ENV: prod + TRUSTED_PROXIES: '127.0.0.1' APP_SECRET: 7ca3adc3815e12d67b4637595b7f9dff MESSENGER_TRANSPORT_DSN: https://sqs.us-east-1.amazonaws.com/403367587399/foobar diff --git a/Symfony/binary/public/index.php b/Symfony/binary/public/index.php index 4cab747..0a40931 100644 --- a/Symfony/binary/public/index.php +++ b/Symfony/binary/public/index.php @@ -20,12 +20,12 @@ Request::setTrustedHosts([$trustedHosts]); } +// Get user IP: +$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); +$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; + $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals(); - -// Trust all headers for everyone. This is extremely dangerous. But it fine if the code runs on Lambda thanks to AWs security. -Request::setTrustedProxies(['127.0.0.1', $request->server->get('REMOTE_ADDR')], Request::HEADER_X_FORWARDED_ALL); - $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response); diff --git a/Symfony/binary/serverless.yml b/Symfony/binary/serverless.yml index a32a9bd..248261a 100644 --- a/Symfony/binary/serverless.yml +++ b/Symfony/binary/serverless.yml @@ -13,6 +13,7 @@ provider: environment: APP_ENV: prod + TRUSTED_PROXIES: '127.0.0.1' APP_SECRET: 7ca3adc3815e12d67b4637595b7f9dff MY_BUCKET: 'bref-example' BREF_BINARY_RESPONSES: 1 diff --git a/Symfony/sqs/public/index.php b/Symfony/sqs/public/index.php index 4cab747..0a40931 100644 --- a/Symfony/sqs/public/index.php +++ b/Symfony/sqs/public/index.php @@ -20,12 +20,12 @@ Request::setTrustedHosts([$trustedHosts]); } +// Get user IP: +$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); +$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; + $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals(); - -// Trust all headers for everyone. This is extremely dangerous. But it fine if the code runs on Lambda thanks to AWs security. -Request::setTrustedProxies(['127.0.0.1', $request->server->get('REMOTE_ADDR')], Request::HEADER_X_FORWARDED_ALL); - $response = $kernel->handle($request); $response->send(); $kernel->terminate($request, $response); diff --git a/Symfony/sqs/serverless.yml b/Symfony/sqs/serverless.yml index 7d97bf6..e20ac2c 100644 --- a/Symfony/sqs/serverless.yml +++ b/Symfony/sqs/serverless.yml @@ -9,6 +9,7 @@ provider: runtime: provided environment: APP_ENV: prod + TRUSTED_PROXIES: '127.0.0.1' APP_SECRET: 7ca3adc3815e12d67b4637595b7f9dff MESSENGER_TRANSPORT_DSN: https://sqs.us-east-1.amazonaws.com/403367587399/foobar From 2e2e0fb1b8aada11f3c81a7308690f8e53f7b4a1 Mon Sep 17 00:00:00 2001 From: Nyholm Date: Wed, 11 Mar 2020 15:00:35 +0100 Subject: [PATCH 2/2] Make sure we can run this locally. --- Symfony/assets/public/index.php | 6 ++++-- Symfony/binary/public/index.php | 6 ++++-- Symfony/sqs/public/index.php | 6 ++++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/Symfony/assets/public/index.php b/Symfony/assets/public/index.php index 0a40931..2b1bcbf 100644 --- a/Symfony/assets/public/index.php +++ b/Symfony/assets/public/index.php @@ -21,8 +21,10 @@ } // Get user IP: -$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); -$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +if (isset($_SERVER['LAMBDA_CONTEXT'])) { + $context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); + $_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +} $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals(); diff --git a/Symfony/binary/public/index.php b/Symfony/binary/public/index.php index 0a40931..2b1bcbf 100644 --- a/Symfony/binary/public/index.php +++ b/Symfony/binary/public/index.php @@ -21,8 +21,10 @@ } // Get user IP: -$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); -$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +if (isset($_SERVER['LAMBDA_CONTEXT'])) { + $context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); + $_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +} $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals(); diff --git a/Symfony/sqs/public/index.php b/Symfony/sqs/public/index.php index 0a40931..2b1bcbf 100644 --- a/Symfony/sqs/public/index.php +++ b/Symfony/sqs/public/index.php @@ -21,8 +21,10 @@ } // Get user IP: -$context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); -$_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +if (isset($_SERVER['LAMBDA_CONTEXT'])) { + $context = json_decode($_SERVER['LAMBDA_CONTEXT'], true); + $_SERVER['HTTP_X_FORWARDED_FOR'] = $context['identity']['sourceIp'] ?? ''; +} $kernel = new Kernel($_SERVER['APP_ENV'], (bool) $_SERVER['APP_DEBUG']); $request = Request::createFromGlobals();