object TlsUtil {
  val password = "password".toCharArray()

  private val localhost: HandshakeCertificates by lazy {
    // Generate a self-signed cert for the server to serve and the client to trust.
    val heldCertificate =
      HeldCertificate
        .Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .addSubjectAlternativeName("localhost.localdomain")

    int NT_STATUS_LOGON_TYPE_NOT_GRANTED = 0xC000015b;
    /** The SAM database does not have a computer account for this workstation trust relationship */
    int NT_STATUS_NO_TRUST_SAM_ACCOUNT = 0xC000018b;
    /** The trust relationship between the primary domain and the trusted domain failed */
    int NT_STATUS_TRUSTED_DOMAIN_FAILURE = 0xC000018c;
    /** The account used is a computer account */

    assertThat(actual).isNotNull()
  }

  private fun enableTls() {
    // Generate a self-signed cert for the server to serve and the client to trust.
    // can't use TlsUtil.localhost with a non OpenJSSE trust manager
    val heldCertificate =
      HeldCertificate
        .Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .build()

		ACB_MNS                    = 0x00000020, /* 1 = MNS logon user account */
		ACB_DOMTRUST               = 0x00000040, /* 1 = Interdomain trust account */
		ACB_WSTRUST                = 0x00000080, /* 1 = Workstation trust account */
		ACB_SVRTRUST               = 0x00000100, /* 1 = Server trust account */
		ACB_PWNOEXP                = 0x00000200, /* 1 = User password does not expire */

  private val sslExcludeFilter =
    Regex(
      buildString {
        append("^(?:")
        append(
          listOf(
            "Inaccessible trust store",
            "trustStore is",
            "Reload the trust store",
            "Reload trust certs",
            "Reloaded",
            "adding as trusted certificates",
            "Ignore disabled cipher suite",
            "Ignore unsupported cipher suite",

    level: Int,
    t: Throwable?,
  ) {
    if (level == WARN) {
      Log.w(Tag, message, t)
    } else {
      Log.i(Tag, message, t)
    }
  }

  /**
   * A trust manager for Android applications that customize the trust manager.
   *
   * This class exploits knowledge of Android implementation details. This class is potentially

 *
 * Supported on OpenJDK 8 via the JettyALPN-boot library or Conscrypt.
 *
 * Supported on OpenJDK 9+ via SSLParameters and SSLSocket features.
 *
 * ### Trust Manager Extraction
 *
 * Supported on Android 2.3+ and OpenJDK 7+. There are no public APIs to recover the trust
 * manager that was used to create an [SSLSocketFactory].
 *
 * Not supported by choice on JDK9+ due to access checks.
 *
 * ### Android Cleartext Permit Detection

//     - object_data := DAREv2_Dec(ObjectKey, enc_object_data)
//     Output: object_data
//
// ## SSE-S3
//
// SSE-S3 can use either a master key or a KMS as root-of-trust.
// The en/decryption slightly depens upon which root-of-trust is used.
//
// ### SSE-S3 and single master key
//
// The master key is used to derive unique object- and key-encryption-keys.

  avatarUrl: https://avatars.githubusercontent.com/u/2546697?u=a027452387d85bd4a14834e19d716c99255fb3b7&v=4
  url: https://github.com/jekirl
hitrust:
  login: hitrust
  count: 4
  avatarUrl: https://avatars.githubusercontent.com/u/3360631?u=5fa1f475ad784d64eb9666bdd43cc4d285dcc773&v=4
  url: https://github.com/hitrust
ShahriyarR:
  login: ShahriyarR
  count: 4

Nevertheless, as the **application server** doesn't know it is behind a trusted **proxy**, by default, it wouldn't trust those headers.

But you can configure the **application server** to trust the *forwarded* headers sent by the **proxy**. If you are using FastAPI CLI, you can use the *CLI Option* `--forwarded-allow-ips` to tell it from which IPs it should trust those *forwarded* headers.