Comments (33)
Apparently it's the very same for Chrome's Data Saver.
from standard-edition.
I don't think we should apply any general solution without having understood the issue in full.
from standard-edition.
Or generally ignore
X_FORWARDED_FOR
(the old config) if there's a newFORWARDED
header?
Sounds reasonable. However, this requires to adjust the app.php
file:
from standard-edition.
https://symfony.com/doc/current/request/load_balancer_reverse_proxy.html (not a solution, just more information)
from standard-edition.
The information does not write about Symfony AppCache
, but that probably is the same and we should just whitelist localhost?
from standard-edition.
Should probably open this issue on symfony/symfony because it does not seem to be related to anything we use for Contao in specific?
from standard-edition.
Would be interesting to see the HTTP headers of the request which causes the issue. However, I cannot reproduce the issue in Opera 12.
from standard-edition.
Could this be the result of a wrong request? If the FORWARDED
and X_FORWARDED_FOR
headers are both set and have different values, the exception is thrown. But if the application does not use any kind of reverse proxy, the misconfiguration must be in the original request already, right?
from standard-edition.
The application always uses a reverse proxy due to our Symfony AppCache
reverse proxy.
Here's one of the original headers. I've changed the IP for anonymity reasons, but interestingly it's the same in both headers.
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Encoding: gzip, deflate
Accept-Language: de,en;q=0.9
Connection: Keep-Alive
Device-Stock-Ua: Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36
Forwarded: for="10.10.10.10:34161"
Host: www.example.com"
User-Agent: Opera/9.80 (Android; Opera Mini/18.0.2254/37.8814; U; de) Presto/2.12.423 Version/12.16
X-Forwarded-For: 10.10.10.10
X-Operamini-Features: httpping, advanced, pingback, routing, file_system, camera, touch, viewport, folding, download
X-Operamini-Phone: Android #
X-Operamini-Phone-Ua: Mozilla/5.0 (Linux; Android 4.4.2; BLOOM Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36"
from standard-edition.
It appears the IP is originating from opera-mini.net
domain (reverse lookup), so maybe Opera does have a built-in reverse proxy to improve mobile speed that causes this issue?
from standard-edition.
These are the two interesting lines:
Forwarded: for="10.10.10.10:34161"
X-Forwarded-For: 10.10.10.10
Symfony will compare 10.10.10.10:34161
against 10.10.10.10
and since they do not match, the exception is thrown.
from standard-edition.
I'm aware of that. But I don't think Opera's behavior is wrong. And we can't decide to mistrust one of the headers. We just should be able to define which one is preferred. Feels like a general Symfony issue?
from standard-edition.
I just had to fight the same Problem within our project. The solution was quite simple maybe it can give you a hint to find out the problem with your configuration:
There are two Headers that can be set when you (or your project) is sitting behind a Proxy/Load Balancer:
- Forwarded (RFC)
- X-Forwarded-For
The Opera Mini Browser whith extreme data saving mode enabled for example makes your mobile browser sit behind an opera proxy which sets both of these headers.
Our server sat behind a misconfigured load balancing Proxy which just set one those.
The result was, that our symfony app had to deal with two forwarded header that were different (because one held the ip of the opera proxy AND ours and the other held just the ip adress from the opera proxy).
Request.php (line 821) says:
if ($hasTrustedForwardedHeader && $hasTrustedClientIpHeader && $forwardedClientIps !== $xForwardedForClientIps) {
throw new ConflictingHeadersException('The request has both a trusted Forwarded header and a trusted Client IP header, conflicting with each other with regards to the originating IP addresses of the request. This is the result of a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them.');
}
which means that the exception is thrown when the IP-Adresses from the two headers differ.
These are the two interesting lines:
Forwarded: for="10.10.10.10:34161"
X-Forwarded-For: 10.10.10.10
and this should not be quite true because symfony does extract the port number from the ip adress.
from standard-edition.
@Advialance Thanks for the clarification. How did you finally solve the problem?
from standard-edition.
@leofeyer I chose the simple way. The Forwarded Header is not needed at any Point by the Webserver. Within our Application we are just using the X-Forwarded-For Header.
You could just
unset($_SERVER["HTTP_FORWARDED"])
Above could cause a problem if a proxy sets the Forwarded Header but not the X-Forwarded-For as you could lose some information if you just unset that variable so it would be better to combine the information in
$_SERVER["HTTP_FORWARDED"]
into
$_SERVER["HTTP_X_FORWARDED_FOR"]
or vise versa and then unset the unnecessary one at the beginning of your Application.
That was my quick and dirty fix that works well but you can make sure that both of the Headers are always the same from within your Proxy Configuration, too.
In the end you just have to make sure that both of the Headers either inherit the same Information about the IP-Adresses the Request ran through or make sure that just one of the Headers are set.
from standard-edition.
AFAIK, you can also tell Symfony to ignore one of the headers.
from standard-edition.
Let's wait for an answer here: symfony/symfony#7034 (comment)
from standard-edition.
@aschempp I wonder if you posted the correct headers? The getClientIps()
method makes an early return here with your headers and does not even get to the point where the exception is thrown.
Or did you configure any trusted proxies?
from standard-edition.
I'm basically using our standard edition, not sure if AppCache has any effect.
from standard-edition.
Ok, so here is the output of $forwardedClientIps
and $xForwardedForClientIps
when the error occurs:
Array
(
[0] => 46.127.15.xxx
)
Array
(
[0] => 141.0.14.174
[1] => 141.0.14.174
[2] => 46.127.15.xxx
)
Array
(
[0] => 46.127.15.xxx
)
Array
(
[0] => 82.145.219.118
[1] => 82.145.219.118
[2] => 46.127.15.xxx
)
141.0.14.174 resolves to z06-03-03.opera-mini.net and 82.145.219.118 resolves to z01-09-02.opera-mini.net. Apparently, Opera adds the proxy IPs to the X_FORWARDED_FOR
header but not to the FORWARDED
header, which is why the two arrays differ.
from standard-edition.
Oh look at this: http://forums.opera.com/discussion/1875157/conflicting-headers/p1 😄
from standard-edition.
Jep. And that's something we can't control, and we can't correctly configure reverse proxy. So someone needs to unify them I would say? Or generally ignore X_FORWARDED_FOR
(the old config) if there's a new FORWARDED
header?
from standard-edition.
Oh look at this: http://forums.opera.com/discussion/1875157/conflicting-headers/p1 😄
Interesting, an Opera employee seems to respond 😎
from standard-edition.
No I don't think that's the solution. They are always talking about trusted proxies, but that is not the case here. We don't know and don't trust the Opera proxies.
from standard-edition.
The link is about distrusting either the Forward
or the X-Forward-For
header.
from standard-edition.
Ideally, you would configure this in your proxy. If this is not possible, you can tell Symfony to distrust the Forwarded header, while still trusting your proxy's X-Forwarded-For header.
I don't know, but I have no idea what header to trust or distrust...
from standard-edition.
We should distrust the X-Forward-For
header as soon as there is a Forward
header (as you suggested above).
from standard-edition.
I receive that error on android 5.1.1 within iron-browser v53.0....(17. Nov 2016).
[2016-12-08 13:10:23] app.CRITICAL: An exception occurred. {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException(code: 0): The request headers contain conflicting information regarding the origin of this request. at /.../vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php:71, Symfony\\Component\\HttpFoundation\\Exception\\ConflictingHeadersException(code: 0): The request has both a trusted Forwarded header and a trusted Client IP header, conflicting with each other with regards to the originating IP addresses of the request. This is the result of a misconfiguration. You should either configure your proxy only to send one of these headers, or configure Symfony to distrust one of them. at /.../app/bootstrap.php.cache:729)"} []
from standard-edition.
@aschempp guys did you resolve this somehow?
from standard-edition.
from standard-edition.
Could it be that Symfony fixed this somehow? I haven't seen the exception in a while.
from standard-edition.
I think this might have fixed it: symfony/symfony#21849
from standard-edition.
I think so, too. I'm closing this ticket then for the time being.
from standard-edition.
Related Issues (20)
- Change /web to /public_html HOT 1
- Wartungsmodus nicht möglich HOT 6
- Unable to login when behind a SSL Proxy HOT 7
- Add basic security HOT 20
- Do not ship a default .htaccess file HOT 14
- Fehler beim Aufruf der Install.php - 4.3.6 HOT 4
- Manger Bundle in composer.json HOT 7
- Speichern und zurück funktioniert nicht mehr HOT 3
- swiftmailer requirement HOT 10
- Breaking change in Symfony Filesystem HOT 2
- Safari kann die Seite nicht öffnen, da die Netzwerkverbindung unterbrochen wurde HOT 7
- Fehler nach Installation unter XAMPP HOT 3
- Attempted to load class \"Config\" from the global namespace. HOT 25
- Unification of contao parameters HOT 1
- Alias Generierung HOT 1
- pages can not be selected in the pagebrowser. Radio buttons are missing. HOT 1
- cacheWarmup for "setup-scripts" HOT 5
- Maintenance "Recreate the symlinks" fails HOT 1
- Unattended Install HOT 8
- cacheWarmup differences between managed-edition? HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from standard-edition.