Magento 2: What is Offloader header?
There is no difference. The default offloader header in Magento 2 is X-Forwarded-Proto
, which matches the de facto standard.
SSL_OFFLOADED
on the other hand, was the default offloader header in Magento 1, and also used by Nexcess_Turpentine, the popular Varnish extension for Magento 1.
Basically, you can call the header however you want, you just have to make sure that your SSL terminator sends it. If you are not sure, X-Forwarded-Proto
is probably the right value.
Offloader header and HTTPS server variable are used by Magento 2 to figure out if request is secure (https).
if you don't set server variable HTTPS
fastcgi_param HTTPS on
then magento checks Offloader header:
vendor/magento/framework/App/Request/Http.php
public function isSecure()
{
if ($this->immediateRequestSecure()) {
return true;
}
/* TODO: Untangle Config dependence on Scope, so that this class can be instantiated even if app is not
installed MAGETWO-31756 */
// Check if a proxy sent a header indicating an initial secure request
$config = $this->objectManager->get('Magento\Framework\App\Config');
$offLoaderHeader = trim(
(string)$config->getValue(
self::XML_PATH_OFFLOADER_HEADER,
ScopeConfigInterface::SCOPE_TYPE_DEFAULT
)
);
return $this->initialRequestSecure($offLoaderHeader);
}
....
protected function initialRequestSecure($offLoaderHeader)
{
$header = $this->getServer($offLoaderHeader);
$httpHeader = $this->getServer('HTTP_' . $offLoaderHeader);
return !empty($offLoaderHeader)
&& (isset($header) && ($header === 'https') || isset($httpHeader) && ($httpHeader === 'https'));
}
see initialRequestSecure function, if Offloader header (or HTTP_{Offloader header}) is set to https then request is secure.