TYPO3 and reverse proxy

Configure TYPO3 for reverse proxies like traefik

  • 6 LTS
  • 7 LTS
  • 8 LTS
  • 9 LTS
  • 10-dev

If you´re using TYPO3 behind a reverse proxy (e.g. traefik), then you need to tell TYPO3 that you´re using one.

Before you ask: Generally TYPO3 works without the settings I´ll show you too, but you’ll probably face some issues if you enable settings like lockSSL because TYPO3 things that your website viewers call the website on port 80 (http) even if they are on port 443 (https). That’s because the communication between the reverse proxy and the webserver runs on port 80. 

So let’s do some configuration. Either go to the Install Tool > All configuration and search for the setting names or if you’re using an AdditionalConfiguration.php put them right there.

 

<?php
// '*' tells TYPO3 to use the value of reverseProxyIP for comparison
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxySSL'] = '*';
// reverseProxyIP equals the IP address of your reverse proxy (e.g. traefik)
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyIP'] = '172.26.0.42';
// trustedHostsPattern contains your domain OR a pattern for your requirements
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] = 'domain.tld';
// use ip address from HTTP_X_FORWARDED_FOR for remote address and 
// use host name from HTTP_X_FORWARDED_HOST
$GLOBALS['TYPO3_CONF_VARS']['SYS']['reverseProxyHeaderMultiValue'] = 'first';

 

This configuration now tells TYPO3 to test if $_SERVER['REMOTE_ADDR'] equals the value of reverseProxyIP in order to check if the website was called using HTTP or HTTPS.

Replace the reverseProxyIP with an "*" if the SERVER_ADDR equals HTTP_X_FORWARDED_FOR!

Errors I got before telling TYPO3 that it´s behind a reverse proxy

  • lockSSL ends in a loop of redirects because TYPO3 thinks the website was called via HTTP and redirects to HTTPS
  • some actions in the TYPO3 backend made problems because scripts or actions were loaded via HTTP and mismatched the browsers security