On Tue, Feb 7, 2017 at 11:34 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > > Am 07.02.2017 um 22:53 schrieb Yann Ylavic: >> >> I mean the application can know about "X-Forwarded-Proto or whatever" >> header, it could act with it like it does with HTTPS=on (if it >> wishes) > > for that you would need to touch each and every application and you have not > secure way to know for sure if that header is trustable, when mod_remoteip > is part of the game you even don't know (and should not know) the physical > connecting IP
I agree with that, "X-Forwarded-Proto or whatever" was meant to say "a trustable information", and I even agree that's mod_remoteip's job to give that information. I just don't think we should make as if httpd were running https (i.e. for all modules/applications to think it is), but rather give the real information: trustable remote is running https.
