As promised I checked Drupal and WP and they have different approaches.
Drupal implemented the full X-FORWARD-* directive that you can set in the config file:
This feature was introduced 12 years ago and is still active. This make sense because Drupal is a CMS that quite common to see behind load balancers, haproxies or intensive caching (vagrant) and so on where you don’t want/need the ssl complexity and performance is the priority.
In the other hand, as far as I see, WP don’t implement it in core but offer 3 different solutions:
I think in WP they also full implement “relative protocol” so in some cases it would be an additional solution.
Although in the original typo3 discussion posted by @ps_tadler they said they are against this solution for security concerns, I think typo3 finally implements it.
Anyway, both (WP and typo3) propose the use of Apache/Nginx rules behind the proxy to change the environment variables, so I give a try to this just adding this rule in the destination apache’s virtualhost to “Let apache know we’re behind a SSL reverse proxy” and works like a charm:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
I need to dig into this deeper, but first test let me login, navigate upload and so on… without touching the original OJS code.
If somebody can confirm this solution with his/her own infrastructure (you have an equivalent rule in nginx) I would encourage to document and propose this as a final solution for “reverse proxies” because IMHO this is better than ssl end-to-end.
Anyway, even is not as urgent now, with with the change of context in the infrastructures, I still think would be nice to offer a full implementation of the X-FORWARD-tags in OJS one day to let admins get full control about how things will be seen behind the proxy.