Skip to content

Add trusted proxies config docs #38586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sgress454 merged 5 commits into from
Jan 23, 2026
Merged

Add trusted proxies config docs #38586

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3f01a25
add trusted proxy config docs
sgress454 Jan 21, 2026
b749210
update
sgress454 Jan 21, 2026
daba6d4
update
sgress454 Jan 21, 2026
d0a2aeb
revert
sgress454 Jan 21, 2026
eca936a
update
sgress454 Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/Configuration/fleet-server-configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,44 @@ Turning off keepalives has helped reduce outstanding TCP connections in some dep
keepalive: true
```

### server_trusted_proxies (Fleet 4.80.1+)

Sets the strategy that Fleet uses to determine the IP address of the client making a request. This address is used for rate-limiting purposes. Options are:

- `none`: always take the IP from the remote address of the request
- A comma-delimited set of IP addresses or ranges: parse the `x-forwarded-for` or `forwarded` header (if any) in the request and take the right-most IP _not_ in the list
- A number: parse the `x-forwarded-for` or `forwarded` header (if any) and taken the Nth address from the right (`1` indicates the right-most address, `2` the second-to-right-most, etc.)
- A string starting with `header:`: take the value of that header as the IP address
- Empty: take the value of the IP from the `True-Client-IP` header, or else the `X-Real-IP` header, or else the left-most value of the `X-Forwarded-For` header. _This setting is deprecated: For Fleet servers directly facing the internet, `none` is recommended. Otherwise use a value compatible with your proxy setup._

> If no value can be determined via the configured setting (for example, if a number is supplied but no `x-forwarded-for` or `forwarded` headers exist on the request) then the remote address of the request will be used.

For example, if a request from remote address `5.5.5.5` has these headers:
```
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 4.4.4.4, 192.168.0.120
X-Real-IP: 2.2.2.2
```

Then depending on how `fleet_server_trusted_proxies` is set, Fleet would determine the following values for the client IP:

| Trusted proxies setting | Client IP | Explanation |
| --- | --- | --- |
|`none` | `5.5.5.5` | The address Fleet received the request from |
|`192.168.0.0/24, 4.4.4.4`| `2.2.2.2` | Using `X-Forwarded-For` and skipping the trusted addresses of `192.168.0.120` and `4.4.4.4` |
|`1`| `192.168.0.120` | The first address from the right in `x-forwarded-for`
|`2`| `4.4.4.4` | The second address from the right in `x-forwarded-for` |
|`header:x-real-ip`| `2.2.2.2` | The value of the specified header|
|`header:x-peekaboo`| `5.5.5.5` | The address Fleet received the request from, since the specified header doesn't exist in the request |
|empty| `2.2.2.2` | The value of the `x-real-ip` header

- Default value: empty
- Environment variable: `FLEET_SERVER_TRUSTED_PROXIES`
- Config file format:
```yaml
server:
trusted_proxies: none
```

### server_websockets_allow_unsafe_origin

Controls the servers websocket origin check. If your Fleet server is behind a reverse proxy,
Expand Down
Loading