Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

madprabh's avatar

TrustProxies for Hetzner load balancer

Hey Folks,

Does anyone know what proxies I should trust to work with Hetzner loadbalancer? I am facing a problem where my site complains that asset urls were loaded over http and doesn't render anything on the browser.

My TrustProxies.php is this right now

protected $proxies = '*';

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers =
        Request::HEADER_X_FORWARDED_FOR |
        Request::HEADER_X_FORWARDED_HOST |
        Request::HEADER_X_FORWARDED_PORT |
        Request::HEADER_X_FORWARDED_PROTO |
        Request::HEADER_FORWARDED |
        Request::HEADER_X_FORWARDED_AWS_ELB;
0 likes
3 replies
LaryAI's avatar
LaryAI
AI
1 year ago
Level 58

To configure Laravel's TrustProxies middleware to work correctly with a Hetzner load balancer, you need to ensure that the application correctly identifies and trusts the proxy headers set by the load balancer. This is crucial for handling HTTPS requests properly and avoiding mixed content issues.

Here's a step-by-step solution:

  1. Identify the IP Addresses of the Load Balancer:

    • If Hetzner provides specific IP addresses or ranges for their load balancers, you should use those. If not, you can use '*' to trust all proxies, but this is less secure.

  2. Configure the TrustProxies Middleware:

    • You can continue using '*' for development or testing purposes, but for production, it's better to specify the exact IP addresses or ranges if possible.

  3. Ensure Correct Headers are Used:

    • The headers you've configured seem appropriate. However, ensure that the load balancer is indeed setting these headers. You might need to check Hetzner's documentation or contact their support to confirm which headers are used.

  4. Update the TrustProxies.php File:

    • If you have specific IPs, replace '*' with an array of those IPs. Otherwise, keep it as '*' for now.

Here's an example configuration:

namespace App\Http\Middleware;

use Illuminate\Http\Request;
use Fideloper\Proxy\TrustProxies as Middleware;

class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var array|string|null
     */
    protected $proxies = '*'; // Use specific IPs if available

    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers =
        Request::HEADER_X_FORWARDED_FOR |
        Request::HEADER_X_FORWARDED_HOST |
        Request::HEADER_X_FORWARDED_PORT |
        Request::HEADER_X_FORWARDED_PROTO |
        Request::HEADER_FORWARDED |
        Request::HEADER_X_FORWARDED_AWS_ELB;
}

  1. Check Your Application URL Configuration:

    • Ensure that your APP_URL in the .env file is set to use https:// if your site is served over HTTPS. This helps Laravel generate URLs with the correct scheme.

  2. Clear Configuration Cache:

    • After making changes, clear the configuration cache to ensure your changes take effect: 
      php artisan config:cache

By following these steps, your Laravel application should correctly handle requests through the Hetzner load balancer, and the mixed content issue should be resolved. If problems persist, double-check the headers being sent by the load balancer and adjust the TrustProxies configuration accordingly.

martinbean's avatar

@madprabh I’m not familiar with Hetzner, but you’ll need to inspect a request in your Laravel application running in Hetzner and see what HTTP header is sends to your application to designate the scheme being used if it’s not the standard X-Forwarded-Proto one.

adamparusel's avatar

I've had the same issue and let Claude AI figure it out - gave it SSH access.

The issue was that the internal IP (10.0.0.x) was wrong for the application server in Forge and this made the whole nginx config of the Load Balancer incorrect (it pointed to itself).

Changing the internal IP of the application server also did not help. The nginx config still pointed to the former internal IP.

What I did:

  1. Make sure internal IP is correct (check in Hetzner Cloud Console)
  2. Delete the site in the Load Balancer
  3. Set up the site again

Important:

  • SSL only on the LB, not the app server.
  • LB pointing to port 80 of the app server
  • Trust proxies need to be set up correctly in bootstrap/app.php Middleware section

Hope this help.

Please or to participate in this conversation.