On Wed, Feb 8, 2017 at 12:25 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Wed, Feb 8, 2017 at 12:01 AM, Reindl Harald <h.rei...@thelounge.net> wrote: >> >> how can you trust as a php application developer that "X-Forwarded-Proto" is >> trustable and not from the enduser client at all - for REMOTE_ADDR you don't >> consider "X-Forwarded-For" exactly for that reason > > I'm not proposing to use or trust "X-Forwarded-Proto" directly, but > that mod_remoteip [either directly or provides the (optional) > functions for ap_add_{common,cgi}_vars() to] set REMOTE_HTTPS=on > and/or REMOTE_SCHEME=https accordingly. > Just like REMOTE_ADDR. > > But not change HTTPS and/or REQUEST_SCHEME (but more importantly their > sources/hooks as accessed and read by core/modules), like (IIUC) > proposed by the patches. > These are local informations.
Actually, I'm not really opposed to set HTTPS=on (according to mod_remoteip) in the environment *given to the script/CGI* only, if that's the trigger for it to do the desired thing, this won't be used by httpd internally at least. What's proposed so far is much more than that (if I read the patches correctly).