Shopware behind an HTTP load balancer

Shopware 6.6

In Shopware 6.6, a framework.yaml must first be configured, which activates the Shopware internal TRUSTED_PROXIES configuration.

# config/packages/framework.yaml

framework:
    trusted_proxies: '%env(TRUSTED_PROXIES)%'

The TRUSTED_PROXIES configuration can then be set up in .env.local.

# .env.local

TRUSTED_PROXIES=127.0.0.1,10.20.0.0/24

Enter the source IP address of the load balancer in the configuration TRUSTED_PROXIES. We recommend operation within a creoline VPC network in order to demilitarize the internal infrastructure.

Configuration in the load balancer

In order for the request to be authenticated by Shopware, the X-Forwarded-Proto header must be sent to the app server by the load balancer. By comparing the actual source IP, it can be ensured that only the authorized load balancer receives access and Shopware generates the correct URLs.

Configuration in HaProxy

# /etc/haproxy/haproxy.cfg

backend shopware
   mode http
   # [...]

   http-request add-header X-Forwarded-Proto %[var(req.scheme)]
   # Necessary for https URL Generation

By specifying the dynamic variable %[var(req.scheme)], the HTTP scheme from the original request to the HaProxy instance is used to ensure that the transmitted X-Forwarded-Proto header corresponds to the actual forwarded HTTP scheme.

Configuration in NGINX

# /etc/nginx/conf.d/shopware.conf

location / {
   proxy_pass http://10.20.X.X:80;
   # [...]

   proxy_set_header X-Forwarded-Proto $scheme;
}

By specifying the dynamic variable $scheme, the HTTP scheme from the original request to the NGINX instance is used to ensure that the transmitted X-Forwarded-Proto header corresponds to the actual forwarded HTTP scheme.