Considering the design like, User (IP=x.x.x.x) <--> Squid <--> Apache (PHP)
By looking at the header from the Apache, e.g. HTTP_X_FORWARD Is it safe that is must be the remote IP (x.x.x.x) of the user, no cheating is available (e.g. user might set the X-Forward header by themself)? Thanks.
