diff --git a/boringproxy.go b/boringproxy.go
index 993f2ce..ccff504 100644
--- a/boringproxy.go
+++ b/boringproxy.go
@@ -274,7 +274,7 @@ func Listen() {
 				return
 			}
 
-			proxyRequest(w, r, tunnel, httpClient, tunnel.TunnelPort, *behindProxy)
+			proxyRequest(w, r, tunnel, httpClient, "localhost", tunnel.TunnelPort, *behindProxy)
 		}
 	})
 
diff --git a/client.go b/client.go
index 0a5903a..58c0714 100644
--- a/client.go
+++ b/client.go
@@ -297,7 +297,7 @@ func (c *Client) BoreTunnel(ctx context.Context, tunnel Tunnel) error {
 		httpMux := http.NewServeMux()
 
 		httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-			proxyRequest(w, r, tunnel, c.httpClient, tunnel.ClientPort, c.behindProxy)
+			proxyRequest(w, r, tunnel, c.httpClient, tunnel.ClientAddress, tunnel.ClientPort, c.behindProxy)
 		})
 
 		httpServer := &http.Server{
diff --git a/http_proxy.go b/http_proxy.go
index dd77709..15b74c0 100644
--- a/http_proxy.go
+++ b/http_proxy.go
@@ -8,7 +8,7 @@ import (
 	"time"
 )
 
-func proxyRequest(w http.ResponseWriter, r *http.Request, tunnel Tunnel, httpClient *http.Client, port int, behindProxy bool) {
+func proxyRequest(w http.ResponseWriter, r *http.Request, tunnel Tunnel, httpClient *http.Client, address string, port int, behindProxy bool) {
 
 	if tunnel.AuthUsername != "" || tunnel.AuthPassword != "" {
 		username, password, ok := r.BasicAuth()
@@ -29,9 +29,7 @@ func proxyRequest(w http.ResponseWriter, r *http.Request, tunnel Tunnel, httpCli
 
 	downstreamReqHeaders := r.Header.Clone()
 
-	// TODO: should probably pass in address instead of using localhost,
-	// mostly for client-terminated TLS
-	upstreamAddr := fmt.Sprintf("localhost:%d", port)
+	upstreamAddr := fmt.Sprintf("%s:%d", address, port)
 	upstreamUrl := fmt.Sprintf("http://%s%s", upstreamAddr, r.URL.RequestURI())
 
 	upstreamReq, err := http.NewRequest(r.Method, upstreamUrl, r.Body)