This comes from #3778. I might not have looked into it close enough - we'll see! :)

@tcz - you added this note originally. Do you have some thoughts here?

Thanks!

Well have there been any changes to how subrequests get the client IP? If not, I think my change is still valid. See this SO answer: http://stackoverflow.com/a/16895859

I think it's missleading. The reverse proxy works perfectly fine without adding 127.0.0.1 to the list of trusted proxies because it's using the above mentioned FragmentListener which automatically adds 127.0.0.1 to the list of trusted IPs.
Only if you want to read the client IP from within a sub-request you need to add 127.0.0.1 (which is strange in the first place and has it's own issue: symfony/symfony#9292).

Edit: Replaced "from within an ESI-included fragment" with "from within a sub-request".

@ureimers If you don't add your local reverse proxy to the list, the detection of the client IP or the fact that the request is secure will fail, as it will consider the request between the proxy and the app, not the request sent by the client to the proxy, and forwarded to your app

@weaverryan this note should be kept (even though some apps may not be impacted if they forget it)

@stof Thank you for the clarification, I got that. But could you then please have a look at the referenced Symfony issue? Because I don't think that it's consistent that the reverse proxie's FragementListener trusts 127.0.0.1 while Request::getClientIp() doesn't.
And if that issue should pass the note can be removed, and everyone can just read the client IP without having to bother about trusted IPs in local enviroments.

I don't know exactly what's going on here, but I trust @stof, so I'm closing this issue. However, feel free to keep commenting on it, we can always reopen it!