Filament•5mo ago

Filament Panel assets not respecting X-Forwarded-Host Header

I have a very strange issue using Filament in an enterprise/production environment. I defined some additional resources in my PanelProvider:

    public function panel(Panel $panel): Panel
    {
        /* Also tried this but that is not the issue
        if (app()->environment() === 'production') {
            URL::forceScheme('https');
        }
        /*
        return $panel
            ->default()
            ->font('Benton', url: Vite::asset('resources/css/fonts.css'), provider: LocalFontProvider::class)
            ->viteTheme('resources/css/filament/admin/theme.css')
            ->brandLogo(asset('img/logo.svg'))
            ->darkModeBrandLogo(asset('img/logo-dark.svg'));
    }

    public function panel(Panel $panel): Panel
    {
        /* Also tried this but that is not the issue
        if (app()->environment() === 'production') {
            URL::forceScheme('https');
        }
        /*
        return $panel
            ->default()
            ->font('Benton', url: Vite::asset('resources/css/fonts.css'), provider: LocalFontProvider::class)
            ->viteTheme('resources/css/filament/admin/theme.css')
            ->brandLogo(asset('img/logo.svg'))
            ->darkModeBrandLogo(asset('img/logo-dark.svg'));
    }

The app is accessed using a proxy and an external URL that differs from the internal URL that is being used from an internal network. All assets are retrieved using HTTPS. I also set the trusted proxies (https://laravel.com/docs/11.x/requests#configuring-trusted-proxies) and this works as expected. The only issue is that the assets defined in the Filament Panel Provider are being served using HTTP(S) using the INTERNAL domain/URL (see attached). As you can see all assets - except for those defined in the panel provider - are correctly served over HTTPS and under the external domain the app is being accessed with. So is Filament doing something different here by returning asset URLs using the internal App URL?

Laravel - The PHP Framework For Web Artisans

Laravel is a PHP web application framework with expressive, elegant syntax. We’ve already laid the foundation — freeing you to create without sweating the small things.

1 Reply

NuekratoOP•5mo ago

OK. I further analysed the issue and it seems like a Filament bug: If I set this in the panel provider:

public function panel(Panel $panel): Panel
{
if (request()->hasHeader('X-Forwarded-Host') {
    request()->headers->set('Host', request()->header('X-Forwarded-Host'));
}
}

public function panel(Panel $panel): Panel
{
if (request()->hasHeader('X-Forwarded-Host') {
    request()->headers->set('Host', request()->header('X-Forwarded-Host'));
}
}

This seems to be very odd. Laravel respects the X-Forwarded-Host-Header per default when running behind a loadbalancer. I didn't ever experience issues with assets but only using Filament in this case... Any ideas? This is my app/Http/Middleware/TrustProxies.php

<?php
 
namespace App\Http\Middleware;
 
use Illuminate\Http\Middleware\TrustProxies as Middleware;
use Illuminate\Http\Request;
 
class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var string|array
     */
    protected $proxies = '*';
 
    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO;
}

<?php
 
namespace App\Http\Middleware;
 
use Illuminate\Http\Middleware\TrustProxies as Middleware;
use Illuminate\Http\Request;
 
class TrustProxies extends Middleware
{
    /**
     * The trusted proxies for this application.
     *
     * @var string|array
     */
    protected $proxies = '*';
 
    /**
     * The headers that should be used to detect proxies.
     *
     * @var int
     */
    protected $headers = Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_HOST | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO;
}

Gaming

Programming

Filament Panel assets not respecting X-Forwarded-Host Header

Did you find this page helpful?