diff --git a/README.md b/README.md index 39f06e08..e1b275ef 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,7 @@ linux/s390x * `REAL_IP_FROM`: Trusted addresses that are known to send correct replacement addresses (default `0.0.0.0/32`) * `REAL_IP_HEADER`: Request header field whose value will be used to replace the client address (default `X-Forwarded-For`) * `LOG_IP_VAR`: Use another variable to retrieve the remote IP address for access [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) on Nginx. (default `remote_addr`) +* `APP_TRUSTED_PROXIES`: IPs or CIDR ranges trusted to set forwarding headers (X-Forwarded-For, X-Forwarded-Proto, etc.). These hosts can spoof any request header, including authentication headers. * `SESSION_DRIVER`: [Driver to use for session storage](https://github.com/librenms/librenms/blob/master/config/session.php) (default `file`) * `CACHE_DRIVER`: [Driver to use for cache and locks](https://github.com/librenms/librenms/blob/master/config/cache.php) (default `database`) diff --git a/examples/traefik/librenms.env b/examples/traefik/librenms.env index d650129d..b5d91e84 100644 --- a/examples/traefik/librenms.env +++ b/examples/traefik/librenms.env @@ -5,6 +5,7 @@ OPCACHE_MEM_SIZE=128 REAL_IP_FROM=0.0.0.0/32 REAL_IP_HEADER=X-Forwarded-For LOG_IP_VAR=http_x_forwarded_for +APP_TRUSTED_PROXIES=172.18.0.0/16 CACHE_DRIVER=redis SESSION_DRIVER=redis