Running TYPO3 behind a reverse proxy or load balancer
When running TYPO3 behind a reverse proxy or load balancer in a production environment, you may encounter issues that are difficult to reproduce in a local setup.
Please refer to the documentation of that server on what exact settings are needed.
Table of contents
Configuring TYPO3 to trust a reverse proxy
TYPO3 must be explicitly configured to recognize and trust reverse proxy headers and IP addresses.
For example, add the following lines to config/:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = '192.0.2.1,192.168.0.0/16';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '192.0.2.1,192.168.0.0/16';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'first';
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] = '^(www\.)?example\.com$';If you deploy the config/ or have it container in a custom
Docker image you can, for example, use the
Application Context
to limit the reverse proxy settings to the production environment:
<?php
use TYPO3\CMS\Core\Core\Environment;
if (Environment::getContext()->isProduction()) {
$customChanges = [
// Database Credentials and other production settings
'SYS' => [
'reverseProxySSL' => '192.0.2.1,192.168.0.0/16',
],
];
$GLOBALS['TYPO3_CONF_VARS'] = array_replace_recursive($GLOBALS['TYPO3_CONF_VARS'], (array)$customChanges);
}
You can also use environment variables for configuration
See also
The following settings in
$GLOBALS:
- reverseProxyIP
- reverseProxyHeaderMultiValue
- reverseProxyPrefix
- reverseProxyPrefixSSL
- trustedHostsPattern
The following article from the symfony docs might be helpful in determining the correct IP address or CIDR ranges: How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy.
In production environments, always use specific IP addresses or CIDR ranges rather than wildcards.
Omitting parts of the IPv4 address acts as a wildcard (for example 192. is
equivalent to 192.). However, using the equivalent CIDR notation
(192.) is the recommended and standardized approach.
Note that IPv6 addresses are supported only with CIDR notation, not wildcards.
Common problems when using a reverse proxy
TYPO3 installations behind an improperly configured reverse proxy may exhibit issues such as:
- Exceptions such as
\TYPO3\CMS\ Core\ Http\ Security\ Missing Referrer Exception - Redirects to the wrong scheme (
httpinstead ofhttps) - Backend login / Install tool login failures or redirect loops
These problems often point to missing or untrusted forwarded headers, or a mismatch between the trusted host settings and the actual domain used.