I'm running a Symfony2 web application on AWS, and am using an Elastic Load Balancer.

In a controller method, I need to do the following to get the IP of a user requesting a web page:

$request->trustProxyData();
$clientIp = $request->getClientIp(True);

Does this present any security risks? I'm not using the client IP for privilege escalation, I'm just logging it.

Is there some way to force trustProxyData() always, or otherwise reconfigure $request->getClientIp() to DWIM? My app will always be behind a load balancer (except while I do development on my desktop).

Related: http://fabien.potencier.org/article/51/create-your-own-framework-on-top-of-the-symfony2-components-part-2 (but it doesn't say if there's some global config so I don't have to call trustProxyData() everywhere).

You can configure the framework bundle to do this: http://symfony.com/doc/2.0/reference/configuration/framework.html#trust-proxy-headers

framework:
    trust_proxy_headers: true

I am not sure about any general security risks, but I can give you a tip how to avoid calling this method in each controller action.

In your app.php just before the $kernel->handle(...); you should set:

Request::trustProxyData();

Cheers ;)

Note:

The trust_proxy_headers option is deprecated and will be removed in Symfony 2.3.

See a trusted_proxies and a Trusting Proxies for details on how to properly trust proxy data.

I used

Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

in web/app.php to solve the problem.

See my answer here: https://stackoverflow.com/a/28793609/2030937