The problem¶

If you upgrade an existing Symfony application to the new 3.3.0 version, you may see this error (depending on your application configuration):

The "framework.trusted_proxies" configuration key has been removed in Symfony 3.3.

The solution¶

Remove the framework.trusted_proxies option from your config file and call the Request::setTrustedProxies() method in your front controller.

For example, if your original config was the following:

# app/config/config.yml
framework:
    # ...
    trusted_proxies:  [192.0.0.1, 10.0.0.0/8]

Remove the trusted_proxies option entirely and add the following in the app.php file:

# web/app.php

// BEFORE
// ...
$kernel = new AppKernel('prod', false);
Request::setTrustedHeaderName(Request::HEADER_FORWARDED, null);
$request = Request::createFromGlobals();
// ...

// AFTER
// ...
$kernel = new AppKernel('prod', false);
Request::setTrustedProxies(['192.0.0.1', '10.0.0.0/8'], Request::HEADER_X_FORWARDED_ALL);
$request = Request::createFromGlobals();
// ...

You can do this change right now because it also works in Symfony versions prior to 3.3. That way you'll be ready to upgrade your application and you won't see the error mentioned above when upgrading.

The explanation¶

Symfony project follows a backward compatibility policy that lets you upgrade across minor versions (e.g. from 2.7 to 2.8 or from 3.2 to 3.3) without breaking your applications.

The only exception to this policy is when breaking backward compatibility is the only way to fix a security issue. That's what happened in this case. A member of the Heroku team reported this problem to us and the only choice we had was to introduce this BC break.

Luckily the break is easy to fix and you can do it right now to make your applications forward compatible with Symfony 3.3.