How to run concrete5 behind CloudFlare and AWS ELB

This is valid after concrete5.7.

Since implementing Symfony framework, concrete5 is equipped with IP check. If the user changed the originated IP address, concrete5 will log you out.

However, this security measurement doesn’t go well with advanced load balancer such as AWS Elastic Load Balancer or CloudFlare.

From concrete5’s POV, it can only see the IP addresses of the load balancer ($_SERVER[‘REMOTE_ADDR’] to be exact). Because the balancer’s IP address will constantly be changing, concrete5 (Symfony framework) think your ID&PW may be stolen and log you out.

You will get the symptom that you can login to concrete5 welcome page, but you cannot go further, but forced to be logged out on the next page because concrete5 think you’re hacker because you are accessing through via different “proxy” server.

You need to tell concrete5 that those IP address are trusted by placing the following code onto /application/config/concrete.php

 

<?php
/**
 * Always trust incoming request.
 * 
 * For more detail, see: http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html
 */
// Get remote address
$remoteIp = $_SERVER['REMOTE_ADDR'];
return array(
    'security' => array(
        'trusted_proxies' => array(
            'ips' => array($remoteIp),
        ),
    ),
);

 

It should resolve the issue.