PHP From ZeroModern PHP course

deployment and operations

Reverse Proxies

A reverse proxy sits in front of the PHP application. It may terminate TLS, route traffic, balance requests, or cache selected responses. The application then sees a connection from the proxy rather than directly from the browser, so it needs a deliberate trust policy for forwarded headers.

Trust Forwarded Headers Narrowly

  • Trust proxy headers only from known proxy infrastructure.
  • Configure client IP and scheme handling deliberately.
  • Set timeouts and body-size limits consistently.

Verify The Whole Request Path

  • Verify HTTPS URL generation.
  • Check client IP logs.
  • Exercise large request and timeout behaviour.

Common Failure Modes

  • Blind trust in forwarded headers enables spoofing.
  • Proxy and app timeout mismatches create confusing failures.
  • Caching authenticated responses can leak data.

Trusted Header Rule

Accept X-Forwarded-For and X-Forwarded-Proto only when the request came from an approved proxy address range.

Frameworks usually provide trusted-proxy configuration. Use it rather than scattering custom header parsing through controllers. Review caching rules separately and make sure personalised or authenticated responses cannot leak through an unsafe shared cache.

Practice

Practice: Review Trusted Proxy Settings

Review a deployment where a load balancer terminates TLS before forwarding traffic to the PHP application. Explain which forwarded headers the app can trust and how that trust is restricted.

Requirements

  • Trust proxy headers only from known proxy infrastructure.
  • Configure client IP and scheme handling deliberately.
  • Set timeouts and body-size limits consistently.
  • Verify HTTPS URL generation.
  • Check client IP logs.
  • Exercise large request and timeout behaviour.
Show solution

Configure the application or framework with the approved proxy address range. Accept forwarded client IP and scheme headers only for requests that arrived from that infrastructure. Do not trust internet-supplied forwarding headers by default.

Verify HTTPS URL generation, redirects, client-IP logs, body-size limits, and timeouts through the actual proxy path. Review cache rules separately and make sure personalised or authenticated responses cannot leak through an unsafe shared cache.