From e20aacc24698a8b115309983b4207a33aafe48ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Guilbot?= <j.guilbot@gmail.com>
Date: Fri, 6 Sep 2019 12:03:06 -0500
Subject: [PATCH] Add note on Trusted Proxies config when app is behind
 multiple proxies

---
 deployment/proxies.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/deployment/proxies.rst b/deployment/proxies.rst
index 848f7d8b4f9..78a7eea05d8 100644
--- a/deployment/proxies.rst
+++ b/deployment/proxies.rst
@@ -76,6 +76,12 @@ That's it! It's critical that you prevent traffic from all non-trusted sources.
 If you allow outside traffic, they could "spoof" their true IP address and
 other information.
 
+.. caution::
+
+    In case you are also using `CloudFront`_ or another reverse proxy on top of your load balancer, calling ``$request->server->get('REMOTE_ADDR')`` as in the above example won't be enough, as it will only whitelist the node sitting directly above your application (in this case your load balancer). You need to make sure you also append the IP addresses or ranges of any additional proxy to the array of trusted proxies. 
+    
+    In the case of `CloudFront`_, you can find the list of IP ranges `at this address <https://ip-ranges.amazonaws.com/ip-ranges.json>`_. 
+
 Custom Headers When Using a Reverse Proxy
 -----------------------------------------