From 3f01a25da0bf95833a442e9ec8ea9ddbbca5099c Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Wed, 21 Jan 2026 12:19:35 -0600 Subject: [PATCH 1/5] add trusted proxy config docs --- .../fleet-server-configuration.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 381ab9275b6..c3c5d20963d 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -684,6 +684,44 @@ Turning off keepalives has helped reduce outstanding TCP connections in some dep keepalive: true ``` +### server_trusted_proxies (Fleet 4.80.1+) + +Sets the strategy that Fleet uses to determine the IP address of the client making a request. This address is used for rate-limiting purposes. Options are: + +- `none`: always take the IP from the remote address of the request +- A comma-delimited set of IP addresses or ranges: parse the `x-forwarded-for` or `forwarded` header (if any) in the request and take the right-most IP _not_ in the list +- A number: parse the `x-forwarded-for` or `forwarded` header (if any) and taken the Nth address from the right (`1` indicates the right-most address, `2` the second-to-right-most, etc.) +- A string starting with `header:`: take the value of that header as the IP address +- Empty: take the value of the IP from the `True-Client-IP` header, or else the `X-Real-IP` header, or else the left-most value of the `X-Forwarded-For` header. _This setting is deprecated: For Fleet servers directly facing the internet, `none` is recommended. Otherwise use a value compatible with your proxy setup._ + +> If no value can be determined via the configured setting (for example, if a number is supplied but no `x-forwarded-for` or `forwarded` headers exist on the request) then the remote address of the request will be used. + +For example, if a request with remote address `5.5.5.5` has these headers: +``` +X-Forwarded-For: 1.1.1.1, 2.2.2.2, 4.4.4.4, 192.168.0.120 +X-Real-IP: 2.2.2.2 +``` + +Then depending on how `fleet_server_trusted_proxies` is set, Fleet would determine the following values for the client IP: + +| Trusted proxies setting | Client IP | Explanation | +| --- | --- | --- | +|`none` | `5.5.5.5` | The address Fleet received the request from | +|`192.168.0.0/24, 4.4.4.4`| `2.2.2.2` | Using `X-Forwarded-For` and skipping the trusted addresses of `192.168.0.120` and `4.4.4.4` | +|`1`| `192.168.0.120` | The first address from the right +|`2`| `4.4.4.4` | The second address from the right| +|`header:x-real-ip`| `2.2.2.2` | The value of the specified header| +|`header:x-peekaboo`| `5.5.5.5` | The address Fleet received the request from, since the specified header doesn't exist in the request | +|empty| `2.2.2.2` | The value of the `x-real-ip` header + +- Default value: empty +- Environment variable: `FLEET_SERVER_TRUSTED_PROXIES` +- Config file format: + ```yaml + server: + trusted_proxies: none + ``` + ### server_websockets_allow_unsafe_origin Controls the servers websocket origin check. If your Fleet server is behind a reverse proxy, From b7492102c8436eb8088b1dacabb0accab92b03db Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Wed, 21 Jan 2026 12:37:02 -0600 Subject: [PATCH 2/5] update --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index c3c5d20963d..6fae8675083 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -696,7 +696,7 @@ Sets the strategy that Fleet uses to determine the IP address of the client maki > If no value can be determined via the configured setting (for example, if a number is supplied but no `x-forwarded-for` or `forwarded` headers exist on the request) then the remote address of the request will be used. -For example, if a request with remote address `5.5.5.5` has these headers: +For example, if a request from remote address `5.5.5.5` has these headers: ``` X-Forwarded-For: 1.1.1.1, 2.2.2.2, 4.4.4.4, 192.168.0.120 X-Real-IP: 2.2.2.2 From daba6d430a66ff29a3e8974861fe470cfd8fc4b9 Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Wed, 21 Jan 2026 12:39:11 -0600 Subject: [PATCH 3/5] update --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 6fae8675083..bd6028bb6f3 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -706,7 +706,7 @@ Then depending on how `fleet_server_trusted_proxies` is set, Fleet would determi | Trusted proxies setting | Client IP | Explanation | | --- | --- | --- | -|`none` | `5.5.5.5` | The address Fleet received the request from | +|`"none"` | `5.5.5.5` | The address Fleet received the request from | |`192.168.0.0/24, 4.4.4.4`| `2.2.2.2` | Using `X-Forwarded-For` and skipping the trusted addresses of `192.168.0.120` and `4.4.4.4` | |`1`| `192.168.0.120` | The first address from the right |`2`| `4.4.4.4` | The second address from the right| From d0a2aeba67d0b2023243f4ce3afa71e450aa5c0c Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Wed, 21 Jan 2026 12:40:21 -0600 Subject: [PATCH 4/5] revert --- docs/Configuration/fleet-server-configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index bd6028bb6f3..6fae8675083 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -706,7 +706,7 @@ Then depending on how `fleet_server_trusted_proxies` is set, Fleet would determi | Trusted proxies setting | Client IP | Explanation | | --- | --- | --- | -|`"none"` | `5.5.5.5` | The address Fleet received the request from | +|`none` | `5.5.5.5` | The address Fleet received the request from | |`192.168.0.0/24, 4.4.4.4`| `2.2.2.2` | Using `X-Forwarded-For` and skipping the trusted addresses of `192.168.0.120` and `4.4.4.4` | |`1`| `192.168.0.120` | The first address from the right |`2`| `4.4.4.4` | The second address from the right| From eca936ada91cf57c926fae54c7821328ed5ad41c Mon Sep 17 00:00:00 2001 From: Scott Gress Date: Wed, 21 Jan 2026 12:43:32 -0600 Subject: [PATCH 5/5] update --- docs/Configuration/fleet-server-configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 6fae8675083..67a0314aaa0 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -708,8 +708,8 @@ Then depending on how `fleet_server_trusted_proxies` is set, Fleet would determi | --- | --- | --- | |`none` | `5.5.5.5` | The address Fleet received the request from | |`192.168.0.0/24, 4.4.4.4`| `2.2.2.2` | Using `X-Forwarded-For` and skipping the trusted addresses of `192.168.0.120` and `4.4.4.4` | -|`1`| `192.168.0.120` | The first address from the right -|`2`| `4.4.4.4` | The second address from the right| +|`1`| `192.168.0.120` | The first address from the right in `x-forwarded-for` +|`2`| `4.4.4.4` | The second address from the right in `x-forwarded-for` | |`header:x-real-ip`| `2.2.2.2` | The value of the specified header| |`header:x-peekaboo`| `5.5.5.5` | The address Fleet received the request from, since the specified header doesn't exist in the request | |empty| `2.2.2.2` | The value of the `x-real-ip` header