platform.sh use "ngx_http_realip_module" nginx module, and put client IP into REMOTE_ADDR.
This makes it impossible to configure an application to be accessible from both with and without varnish. For example, serve a website by varnish and admin by nginx.

If you'll put REMOTE_ADDR in TRUSTED_PROXIES, admin panel will be open to ip address spoof using "x-forwarded-for" header.
And, user will be able to request your varnish invalidation token.

If you'll put other IP address, or don't specify TRUSTED_PROXIES at all, you'll receive "Unauthorized" from varnish (because of "/_ez_http_invalidatetoken" route checking "$request->isFromTrustedProxy()", which will return false).

Ideally, it should work in a way where developer can safely use

$request->getClientIp()

I'm not sure if this issue is reproducible on ezplatform cloud, but I assume it should be there too.

It looks like platform.sh is doing everything to emulate that request is coming from user directly, they even remove IPs from most CDNs.

PR: https://github.com/ezsystems/ezplatform-http-cache/pull/136