Jul 12, 2020

Level 1

Set middleware property via method instead of explicitly declaring

Having trouble getting a property in the TrustedProxy.php middleware from config.

The default is:

<?php

namespace App\Http\Middleware;

use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies;

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_ALL;
}

We want to get $proxies from config('network.trusted_proxies'). Our config/network.php looks like:

'trusted_proxies' => explode(',', env('NETWORK_TRUSTED_PROXIES', null)),

The first thing I tried in the middleware was:

    protected $proxies = config('network.trusted_proxies');

However, this throws exception "Constant expression contains invalid operations".

So I removed that line and added:

    public function proxies()
    {
		return config('network.trusted_proxies');
    }

While this resolves the exception, it is not working as intended because the middleware is seeing $proxies as an empty value.

Everything works exactly as expected with our proxies when I define the property like so:

    protected $proxies = "*";

I'm surely doing something wrong in my attempts to pull the value from config.

Is what I'm trying to do even possible? Our goal here is to be able to manage trusted proxy config from .env rather than having to update the codebase each time a proxy is added or removed.

Any help greatly appreciated.

nathan-io

5 years ago

Level 1

Tried this as well with no luck. $proxies still seems to be empty:

namespace App\Http\Middleware;

use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;
use Closure;
use Config;

class TrustProxies extends Middleware
{

    protected $headers = Request::HEADER_X_FORWARDED_ALL;	
	
    protected $proxies;
	
    public function handle($request, Closure $next, $guard = null)
    {
		$this->proxies = Config::get('network.trusted_proxies');
		return $next($request);		
    }	

}

martinbean

5 years ago

Level 80

@nathan-io Does your proxy server really change that often that you need to make it configurable?

Usually, if you’re having difficult doing something, it’s because you’re doing something that you shouldn’t really be doing. A proxy server shouldn’t have a rotating IP address. You should know the IP address of any proxy servers sitting in front of your web application. If you don’t, then there’s no point using the TrustProxies middleware.

nathan-io

5 years ago

Level 1

The Laravel documentation acknowledges at least one scenario where you may not know the IP:

If you are using Amazon AWS or another "cloud" load balancer provider, you may not know the IP addresses of your actual balancers. In this case, you may use * to trust all proxies:

In our case, it's not so much that it will be unknown or changing frequently, but that we will have a different proxy server for each application depending on the environment.

For example, staging and prod each have their own load balancers, while on local we'll have none. So it's just easier from a devops perspective than hardcoding environment-based values into config or the middleware.

Ultimately my question here is how I can use config from within a middleware - the use case was given as an example, but is irrelevant.

So while we can argue the merits or wisdom of getting this particular value in this particular middleware from config, I'm sure there are plenty of other scenarios where it would be helpful to do something like this in a middleware, so I'd like to know what I'm missing here.

nathan-io

5 years ago

Level 1

@martinbean here's a discussion of additional use cases: https://github.com/fideloper/TrustedProxy/issues/81

In fact, I discovered that the package offers a config file for this very purpose.

php artisan vendor:publish --provider="Fideloper\Proxy\TrustedProxyServiceProvider"

However, even the solution described here (which uses that config file) didn't work properly for me, and there seems to be some confusion as to whether the package's config has been deprecated.

Here's a solution that's working for us:

config/network.php:

return [
    'trusted_proxies' => explode(',', env('NETWORK_TRUSTED_PROXIES', null)),
];

app/Http/Middleware/TrustProxies.php:

namespace App\Http\Middleware;

use Fideloper\Proxy\TrustProxies as Middleware;
use Illuminate\Http\Request;

class TrustProxies extends Middleware
{

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
	protected $headers = Request::HEADER_X_FORWARDED_ALL;	
	
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */

	protected $proxies;        
	
    public function handle(Request $request, \Closure $next)
    {

		$proxies = (array) config('network.trusted_proxies'); // (array) cast prevents "must implement Countable" warning
		
		if(empty($proxies[0])) {
			$proxies = null;
		} elseif(count($proxies) == 1) {
			$proxies = $proxies[0];
		}
		
		$this->proxies = $proxies;	
		return parent::handle($request, $next);
	}

}

I found that without the elseif logic, single values like "*" or "127.0.0.1" did not work correctly.

I'm sure this could be refactored a bit, but it's working for now.

niclm

5 years ago

Level 9

Here is a simple solution we have implemented which doesn't involve any changes to the TrustProxies.php middleware file, hope it helps.

Add the following to your env file:

TRUSTED_PROXIES=192.168.1.1,192.168.1.2

Create a config file config/trustedproxy.php with the below:

$proxies = [];

if(env('TRUSTED_PROXIES')){
    foreach (explode(',', env('TRUSTED_PROXIES')) as $ip) {
        if(filter_var($ip, FILTER_VALIDATE_IP)){
            $proxies[] = $ip;
        }
    }
}

return [
    'proxies' => $proxies
];

Please or to participate in this conversation.