To ensure that Acquia Cloud is in line with best practices in the Drupal community, we are making a change to how trusted proxy headers are configured on the Acquia Cloud platform for Drupal 8 sites.
What is changing?
Symfony, and therefore Drupal 8 has support for the following proxy headers:
As of Thursday, 20 December 2018, we will be changing the default configuration to ensure that only 2 proxy headers are trusted on Acquia Cloud:
The other proxy headers mentioned in the first list will not be trusted by default. If your application is using the other headers (or example, if you're using a CDN), you can re-enable them by making a simple change to your site’s settings.php file (see below).
How can I tell if my application is using other proxy headers?
Typically this will only be the case if your application has another proxy layer in front of the Acquia platform, for example a CDN.
Before the change happens on the Acquia platform, you can see whether your application currently uses these headers by:
- Go to your Acquia-hosted Drupal site, making sure to use the same public domain your visitors use (and not the *.acquia-sites.com domain)
- Logging into your Drupal application as Admin
- Go to Drupal's Admin > Reports > Status Report > PHP (/admin/reports/status/php) where the request headers the application is receiving should be displayed.
Here's an example screenshot of the relevant section:
This illustrates a site foobar.com receiving an X-Forwarded-Host header with the value of example.com. In this example, you would need to take action, since a CDN is adding these extra headers. Your next step would be to add the code mentioned below so that your application is enabled to use these headers.
If in doubt, please contact Acquia Support for assistance.
My application is using the other trusted proxy headers. How do I ensure that my application is not impacted by this change?
First of all, remember that Drupal 7 will not be affected by this change.
If your application is using other trusted proxy headers you will need to add a line for each header to your settings.php file after the require line. For example:
// Trust the X-Forwarded-Host header. $settings['reverse_proxy_host_header'] = 'X_FORWARDED_HOST';
This is the most likely proxy header to be affected. Examples of settings for the other proxy headers are in Drupal's default.settings.php.
This change simply ensures that your current configuration will continue to function after we make this change at the platform level. As with all other changes to your settings.php file, we we encourage thorough testing to ensure that the change does not cause problems with your application.