diff --git a/CHANGELOG.md b/CHANGELOG.md
index b36a97dfc..aa15cd645 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,8 @@ FEATURE: Node.js support for the zrok SDK (https://github.com/openziti/zrok/issu
 
 FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information.
 
+FEATURE: Added `no_forwarder` option to the public frontend configuration to avoid setting client addresses of intermediate infrastructure (https://github.com/openziti/zrok/issues/609)
+
 CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container.
 
 CHANGE: the Docker sharing guides were simplified and expanded
diff --git a/endpoints/publicProxy/config.go b/endpoints/publicProxy/config.go
index 54710c0ba..3f400ddd5 100644
--- a/endpoints/publicProxy/config.go
+++ b/endpoints/publicProxy/config.go
@@ -12,12 +12,13 @@ import (
 const V = 3
 
 type Config struct {
-	V         int
-	Identity  string
-	Address   string
-	HostMatch string
-	Oauth     *OauthConfig
-	Tls       *endpoints.TlsConfig
+	V           int
+	Identity    string
+	Address     string
+	HostMatch   string
+	NoForwarder bool
+	Oauth       *OauthConfig
+	Tls         *endpoints.TlsConfig
 }
 
 type OauthConfig struct {
diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go
index 60fc44384..5eb516768 100644
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@@ -106,6 +106,9 @@ func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, err
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		director(req)
+		if cfg.NoForwarder {
+			req.Header["X-Forwarded-For"] = nil
+		}
 		req.Header.Set("X-Proxy", "zrok")
 	}
 	proxy.ModifyResponse = func(resp *http.Response) error {