Magento 2: What is Offloader header?

There is no difference. The default offloader header in Magento 2 is X-Forwarded-Proto, which matches the de facto standard.

SSL_OFFLOADED on the other hand, was the default offloader header in Magento 1, and also used by Nexcess_Turpentine, the popular Varnish extension for Magento 1.

Basically, you can call the header however you want, you just have to make sure that your SSL terminator sends it. If you are not sure, X-Forwarded-Proto is probably the right value.


Offloader header and HTTPS server variable are used by Magento 2 to figure out if request is secure (https).

if you don't set server variable HTTPS

fastcgi_param HTTPS on

then magento checks Offloader header:

vendor/magento/framework/App/Request/Http.php

public function isSecure()
{
    if ($this->immediateRequestSecure()) {
        return true;
    }
    /* TODO: Untangle Config dependence on Scope, so that this class can be instantiated even if app is not
    installed MAGETWO-31756 */
    // Check if a proxy sent a header indicating an initial secure request
    $config = $this->objectManager->get('Magento\Framework\App\Config');
    $offLoaderHeader = trim(
        (string)$config->getValue(
            self::XML_PATH_OFFLOADER_HEADER,
            ScopeConfigInterface::SCOPE_TYPE_DEFAULT
        )
    );

    return $this->initialRequestSecure($offLoaderHeader);
}

....

protected function initialRequestSecure($offLoaderHeader)
{
    $header = $this->getServer($offLoaderHeader);
    $httpHeader = $this->getServer('HTTP_' . $offLoaderHeader);
    return !empty($offLoaderHeader)
    && (isset($header) && ($header === 'https') || isset($httpHeader) && ($httpHeader === 'https'));
}

see initialRequestSecure function, if Offloader header (or HTTP_{Offloader header}) is set to https then request is secure.