Reverse Proxy

Trusted Hosts

If the HumHub application is working behind a reverse proxy (especially an SSL terminator), the reverse proxy must be marked as trusted host.

The following headers are only accepted by a trusted host:

• X-Forwarded-For
• X-Forwarded-Host
• X-Forwarded-Proto
• Front-End-Https
• X-Rewrite-Url

The trusted host must be specified in the configuration file protected/config/web.php.

Example configuration:

<?php

/**

* This file provides to overwrite the default HumHub / Yii configuration by your local Web environments

* @see http://www.yiiframework.com/doc-2.0/guide-concept-configurations.html

* @see http://docs.humhub.org/admin-installation-configuration.html

* @see http://docs.humhub.org/dev-environment.html

*/

return [

'components' => [

'request' => [

'trustedHosts' => ['192.168.0.0/24']

],

]

];

An array key is an IPv4 or IPv6 IP address in CIDR notation for matching a client.

An array value is a list of headers to trust. These will be matched against $secureHeaders to determine which headers are allowed to be sent by a specified host. The case of the header names must be the same as specified in $secureHeaders.

You can find more information in the Yii2 documentation: https://www.yiiframework.com/doc/api/2.0/yii-web-request#$trustedHosts-detail

Caching

If the proxy also acts as a cache, it is important that query parameters are taken into account.

When static files are modified (e.g. during an upgrade), HumHub automatically adds a new query parameter value (cache bust).

The following paths can be cached:

• /assets/*
• /themes/*
• /uploads/*
• /static/*

Example NGINX caching snippet (incomplete):

location ~ ^/(assets|themes|uploads|static)/.*$ {

add_header X-ECache 1;

add_header X-ECache-Key $host$uri$is_args$args;

add_header X-ECache-Status $upstream_cache_status;

proxy_ignore_headers "Expires";

proxy_ignore_headers "Cache-Control";

proxy_cache_key "$host$uri$is_args$args";

proxy_cache_valid 200 1d;

proxy_pass $target;

}