On Wed, Feb 8, 2017 at 12:01 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > how can you trust as a php application developer that "X-Forwarded-Proto" is > trustable and not from the enduser client at all - for REMOTE_ADDR you don't > consider "X-Forwarded-For" exactly for that reason
I'm not proposing to use or trust "X-Forwarded-Proto" directly, but that mod_remoteip [either directly or provides the (optional) functions for ap_add_{common,cgi}_vars() to] set REMOTE_HTTPS=on and/or REMOTE_SCHEME=https accordingly. Just like REMOTE_ADDR. But not change HTTPS and/or REQUEST_SCHEME (but more importantly their sources/hooks as accessed and read by core/modules), like (IIUC) proposed by the patches. These are local informations.