Symfony version(s) affected: 2.8.44

Description
Symfony properly determines the schema from the Forwarded header for the main request, but when using fragments, it strips the forwarded header and then rebuilds it. Because it was stripped, $request->getScheme() returns http as the forwarded header is now missing.

How to reproduce
Setup symfony/apache with SSL termination handled separately (such as with HAProxy). When this happens, X-Forwarded-Proto is passed with "https", but the $_SERVER['HTTPS'] is not set to on (since apache isn't handling the SSL termination).
Create a fragment using {{render(controller('SomeController::someAction'))}}
In the fragment controller $request->isSecure() will return false, however in the main action of the controller $request->isSecure() will return true.

Possible Solution
Mitigation is to have apache set HTTPS=on if the X-Forwarded-Proto = https:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
The better solution would be to load the scheme before stripping the forwarded header when rebuilding the trusted headers in SubRequestHandler