Problem/Motivation

The reverse proxy configuration and documentation in default.settings.php has some minor issues:

- copy/paste errors: most of the comments refer to "client protocol" instead of the setting's actual meaning
- confusing/wrong default values: while most of the commented out $settings code lines have the actual default value, the doc comment has not (e.g. doc: "X-Forwarded-Proto", code/default setting: "X_FORWARDED_PROTO") - verified in Drupal\Core\StackMiddleware\ReverseProxyMiddleware
- unclear difference between "reverse_proxy_header" and "reverse_proxy_forwarded_header" (rfc 7239)

Proposed resolution

Is only a minor issue, but it still takes some time to figure out what's wrong, so it should be fixed by updating the documentation.

Remaining tasks

Needs review / merge.

CommentFileSizeAuthor
#17 interdiff-2673572-11-17.txt1.49 KBchipway
#17 improve-reverse-proxy-documentation-2673572-17.patch1.94 KBchipway
#11 improve-reverse-proxy-documentation-2673572-11.patch1.61 KBSaphyel
#8 improve-reverse-proxy-documentation-2673572-8.patch1.62 KBpatrick_durold
#5 improve-reverse-proxy-documentation-2673572-5.patch1.61 KBpatrick_durold
#2 improve-reverse-proxy-documentation-2673572-2.patch1.86 KBpatrick_durold
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

patrick_durold created an issue. See original summary.

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented
FileSize
improve-reverse-proxy-documentation-2673572-2.patch1.86 KB

Fixed errors and unclear wordings. Added link to rfc7239.

Patch is against current 8.0.x branch.

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented
Issue summary: View changes
Status: Active » Needs review
jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs review » Needs work

Thanks for the issue and patch! The patch needs some work before we can commit it though:

  1. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * Set this value if your proxy server sends the original client IP in a header
+ * other than X_FORWARDED_FOR.
  */
-# $settings['reverse_proxy_header'] = 'X_CLUSTER_CLIENT_IP';
+# $settings['reverse_proxy_header'] = 'X_FORWARDED_FOR';

    I don't understand the code (or commented-out code) change here. The docs say that you should only set this value if you are not using X_FORWARDED_FOR, so the line that was previously in this file gave an example of something you might set it to. I don't think we should change it, since setting it to X_FORWARDED_FOR is not something anyone would ever set it to, right??? 

  2. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * Set this value if your proxy server sends the original client protocol in a header

    This line is now over 80 characters, so you need to rewrap it.

    I also don't understand why you felt it was necessary to add "original" to all of these lines. I think it should probably just be taken out, but if it *is* necessary, you need to rewrap the docs so they don't go over 80 character lines. 

  3. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * Set this value if your proxy server sends the original client host in a header

    remove "original" or rewrap here too. 

  4. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * Set this value if your proxy server sends the original client port in a header

    here too 

  5. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * Set this value if your proxy server sends standard combined forwarding information

    This is over 80 characters too. 

  6. +++ b/sites/default/default.settings.php
@@ -373,32 +373,33 @@
+ * @link https://tools.ietf.org/html/rfc7239

    This is not how @link works. See
    https://www.drupal.org/node/1354#link
    for more information. Probably rather than @link you either want @see or just the URL in a sentence anyway?

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented
FileSize
improve-reverse-proxy-documentation-2673572-5.patch1.61 KB

Well, understanding is always subjective, so I added what I thought would be needed for me personally to immediately understand it. As said, that's a personal view.

1. My thinking was that if the other four reverse proxy settings use the default value as example, this one should too. It's more consisting and a bit less confusing, at least for me. Changing the one example was the smallest change that would achieve that (instead of conjuring up some random examples for the other four).
Also, it's not uncommon for config files to have the default value commented out, so it felt okay for me.

Kept this in the patch (for now). If you really think it shouldn't be changed, then please consider using non-default examples for the other four settings.

2.-5. Sometimes I'm a bit overly verbose. I removed the "original".

6. I mixed that up with phpDoc. Changed that to "@see".

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented
Status: Needs work » Needs review
jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs review » Needs work

Fair enough! So the latest patch looks good, except one small nitpick:

+++ b/sites/default/default.settings.php
@@ -374,31 +374,32 @@
+ * @see https://tools.ietf.org/html/rfc7239

Thanks -- @see works better here. But you need to leave a blank line before an @see line.

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented
Status: Needs work » Needs review
FileSize
improve-reverse-proxy-documentation-2673572-8.patch1.62 KB

Added blank line before @see.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs review » Needs work

Almost there!

+++ b/sites/default/default.settings.php
@@ -374,31 +374,33 @@
+ * ¶

There is an extra space at the end of this line.

You should be able to set your code editor or IDE to either remove or highlight end-of-line spaces.

Saphyel’s picture

Saphyel CreditAttribution: Saphyel as a volunteer commented
Assigned: Unassigned » Saphyel
Saphyel’s picture

Saphyel CreditAttribution: Saphyel as a volunteer commented
Assigned: Saphyel » Unassigned
Status: Needs work » Needs review
FileSize
improve-reverse-proxy-documentation-2673572-11.patch1.61 KB

Fixed #9, good work guys!

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs review » Reviewed & tested by the community

Looks good now, thanks everyone!

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Needs work

These are the actual header names, which is what's referred to in the docs, I don't think we should just switch to referring to the constants here.

patrick_durold’s picture

patrick_durold
Primary language German
CreditAttribution: patrick_durold as a volunteer commented

Could you please elaborate? The values that look like constants are the actual header names accepted by Drupal. What do you propose instead?

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

chipway’s picture

chipway CreditAttribution: chipway at Chipway commented
Status: Needs work » Needs review
FileSize
improve-reverse-proxy-documentation-2673572-17.patch1.94 KB
interdiff-2673572-11-17.txt1.49 KB

Thanks all,
Here is a new patch suggestion.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Munavijayalakshmi’s picture

Munavijayalakshmi CreditAttribution: Munavijayalakshmi at Valuebound commented
Assigned: Unassigned » Munavijayalakshmi
Status: Needs review » Reviewed & tested by the community
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Needs work

I still think the comments should match the actual HTTP headers rather than the constants here since that's what they're referring to.

chipway’s picture

chipway CreditAttribution: chipway at Chipway commented

Thanks Catch,
I try to understand. As we speak about custom proxy headers, we can't use the ones from https://tools.ietf.org/html/rfc7239.

Do you mean something like the following?
+# $settings['reverse_proxy_header'] = 'Your-Customized-X-Forwarded-For';
or
+# $settings['reverse_proxy_header'] = 'X-Forwarded-For-Customized';

Munavijayalakshmi’s picture

Munavijayalakshmi CreditAttribution: Munavijayalakshmi at Valuebound commented
Assigned: Munavijayalakshmi » Unassigned

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

tunic’s picture

tunic
he/him
Primary language Spanish
Location Madrid
CreditAttribution: tunic at Metadrop commented

@Catch can you clarify what is the problem? I'm not sure what fix is needed. See #21.

Not a functional bug, but it's not good for Drupal to have such errors in the official example configuration file.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

O'Briat’s picture

O'Briat CreditAttribution: O'Briat as a volunteer and at Capgemini for SNCF, E.voyageurs Technologies commented

There's another issue about this wording: https://www.drupal.org/project/drupal/issues/3017957

- For X_FORWARDED_HOST, I suggest to use "the original host requested by the client" instead of "the client host"
- For X_FORWARDED_PORT, I suggest to use "the original port requested by the client" instead of "the client port"

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

dipakmdhrm’s picture

dipakmdhrm CreditAttribution: dipakmdhrm as a volunteer and at QED42 for Drupal India Association commented

This issue is probably outdated now because of #3030501

As part of #3030501:
Following settings were deprecated and their documentation was removed from default.settings.php

  1. reverse_proxy_header
  2. reverse_proxy_proto_header
  3. reverse_proxy_host_header
  4. reverse_proxy_port_heade
  5. reverse_proxy_forwarded_header

Which fixes the all the documentation issues mentioned here.

dipakmdhrm’s picture

dipakmdhrm CreditAttribution: dipakmdhrm as a volunteer and at QED42 for Drupal India Association commented
Status: Needs work » Closed (outdated)

Closing because of the above comment. Feel free to reopen if you disagree.