From 9d396eb0b34479b2823df657267ef4e020f6bb6a Mon Sep 17 00:00:00 2001
From: kncsvk <3289370+kncsvk@users.noreply.github.com>
Date: Sun, 6 Jan 2019 06:24:01 +0100
Subject: [PATCH] HTTPS and mod_remoteip

Trust HTTP_X_FORWARDED_PROTO and HTTP_X_FORWARDED_PORT even if not coming from trusted proxy. It's not security problem like directly parsing HTTP_X_FORWARDED_FOR. This fixes HTTPS in proxy server setups with enabled mod_remoteip.
---
 src/Http/RequestFactory.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Http/RequestFactory.php b/src/Http/RequestFactory.php
index 15de3deb..4ddfb3e4 100644
--- a/src/Http/RequestFactory.php
+++ b/src/Http/RequestFactory.php
@@ -265,8 +265,17 @@ public function createHttpRequest(): Request
 					}
 				}
 			}
-		}
+		} else {
+			if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
+				$url->setScheme(strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0 ? 'https' : 'http');
+				$url->setPort($url->getScheme() === 'https' ? 443 : 80);
+			}
 
+			if (!empty($_SERVER['HTTP_X_FORWARDED_PORT'])) {
+				$url->setPort((int) $_SERVER['HTTP_X_FORWARDED_PORT']);
+			}
+		}
+		
 		// method, eg. GET, PUT, ...
 		$method = $_SERVER['REQUEST_METHOD'] ?? null;
 		if (