explaingit

fideloper/trustedproxy

7,315PHPAudience · developerComplexity · 2/5Setup · easy

TLDR

PHP package for Laravel that makes your app correctly identify real visitor IPs and protocols when running behind a load balancer or reverse proxy like AWS ELB or Cloudflare.

Mindmap

mindmap
  root((trustedproxy))
    What it does
      Trusts proxy IPs
      Reads forwarded headers
      Fixes real visitor IP
    Tech Stack
      PHP
      Laravel
    Use Cases
      AWS load balancer
      CDN behind app
      HTTPS redirect fix
    Audience
      Laravel developers
      Backend engineers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Configure trusted proxies so a Laravel app reads correct visitor IPs behind an AWS Elastic Load Balancer.

USE CASE 2

Fix broken HTTPS redirects in a Laravel app deployed behind Cloudflare or an nginx reverse proxy.

USE CASE 3

Prevent malicious users from spoofing their IP address via forged X-Forwarded-For headers.

USE CASE 4

Migrate older Laravel apps (pre-5.5) to proper proxy trust configuration before upgrading to a newer version.

Tech stack

PHPLaravel

Getting it running

Difficulty · easy Time to first run · 5min

Only needed for Laravel older than 5.5, Laravel 9+ has a built-in replacement.

In plain English

This is a PHP package for the Laravel web framework that solves a specific problem with applications deployed behind load balancers or reverse proxies. When a web server sits behind an intermediary such as a cloud load balancer or a CDN, the server only sees the intermediary's IP address and connection details, not the original visitor's. This causes problems with URL generation, redirects, and logging because the application thinks users are connecting from the proxy's address rather than their actual one. Modern web setups handle this by having the proxy add special HTTP headers to each request, such as X-Forwarded-For (the real visitor's IP address) and X-Forwarded-Proto (whether the original request used http or https). The catch is that Laravel only reads those headers if the proxy sending them is listed as trusted. Otherwise, any external party could set those headers and manipulate what the application believes about where a request came from. This package provides a simpler way to configure which proxies are trusted. You list the IP addresses of your load balancers or proxy servers, and Laravel will then correctly read the forwarded headers from those sources. For hosted services like AWS where the proxy's IP address is not known in advance, you can choose to trust all proxies, though the README notes that this comes with a security trade-off. As of Laravel 5.5, this functionality was incorporated directly into the framework itself, so the package is only needed for older versions. For Laravel 9 and above, a different built-in approach replaced it, and the README links to the upgrade documentation.

Copy-paste prompts

Prompt 1
I'm running a Laravel 5.4 app behind an AWS Elastic Load Balancer. Show me how to configure fideloper/trustedproxy so my app reads real user IPs instead of the load balancer's IP.
Prompt 2
My Laravel app generates http:// URLs instead of https:// even though we use HTTPS termination at the load balancer. Walk me through fixing this with trustedproxy.
Prompt 3
What's the security risk of setting TRUST_PROXIES='*' in trustedproxy, and how do I limit it to specific proxy IPs instead?
Prompt 4
Show me how to configure trustedproxy in Laravel to trust a Cloudflare CDN and correctly detect X-Forwarded-Proto headers.
Open on GitHub → Explain another repo

← fideloper on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.