To ensure that Acquia Cloud is in line with best practices in the Drupal community, we are making a change to how trusted proxy headers are configured on the Acquia Cloud platform.
What is changing?
Symfony, and therefore Drupal 8 has support for the following proxy headers:
As of Thursday, 20 December 2018, we will be changing the default configuration to ensure that only the following proxy headers are trusted on Acquia Cloud:
Other proxy headers will not be trusted by default, however, if your application is using other headers these can be re-enabled by making a simple change to your site’s settings.php file.
How can I tell if my application is using other proxy headers?
Typically this will only be the case if your application has another proxy layer in front of the Acquia platform, for example a CDN. Drupal's status report links to a phpinfo page (/admin/reports/status/php) where the request headers the application is receiving should be displayed. For example:
This illustrates a site foobar.com receiving an X-Forwarded-Host header with the value of example.com
If in doubt, please contact Acquia Support for assistance.
My application is using other trusted proxy headers. How do I ensure that my application is not impacted by this change?
If your application is using other trusted proxy headers you will need to add a line for each header to your settings.php file after the require line. For example:
// Trust the X-Forwarded-Host header. $settings['reverse_proxy_host_header'] = 'X_FORWARDED_HOST';
This is the most likely proxy header to be affected. Examples of settings for the other proxy headers are in Drupal's default.settings.php.
This change simply ensures that your current configuration will continue to function after we make this change at the platform level. As with all other changes to your settings.php file, we we encourage thorough testing to ensure that the change does not cause problems with your application.