From ae518399fadd0fefff7fc5a5d48d80dfb2d0237b Mon Sep 17 00:00:00 2001
From: Guillaume de Lafond <13253032+gdelafond@users.noreply.github.com>
Date: Mon, 8 Jan 2024 11:35:24 +0100
Subject: [PATCH] docs(configuration): useForwardedHeaders (#7289)

---
 docs/configuration.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/configuration.md b/docs/configuration.md
index 712711101..2cda36726 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -118,6 +118,22 @@ On XOA, the log file for XO-server is in `/var/log/syslog`. It contains all the
 
 If you don't want to have Xen Orchestra exposed directly outside, or just integrating it with your existing infrastructure, you can use a Reverse Proxy.
 
+First of all you need to allow Xen Orchestra to use `X-Forwarded-*` headers to determine the IP addresses of clients:
+
+```toml
+[http]
+# Accepted values for this setting:
+# - false (default): do not use the headers
+# - true: always use the headers
+# - a list of trusted addresses: the headers will be used only if the connection
+#   is coming from one of these addresses
+#
+# More info about the accepted values: https://www.npmjs.com/package/proxy-addr?activeTab=readme#proxyaddrreq-trust
+#
+# > Note: X-Forwarded-* headers are easily spoofed and the detected IP addresses are unreliable.
+useForwardedHeaders = ['127.0.0.1']
+```
+
 ### Apache
 
 As `xo-web` and `xo-server` communicate with _WebSockets_, you need to have the [`mod_proxy`](http://httpd.apache.org/docs/2.4/mod/mod_proxy.html), [`mod_proxy_http`](http://httpd.apache.org/docs/2.4/mod/mod_proxy_http.html), [`mod_proxy_wstunnel`](http://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) and [`mod_rewrite`](http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html) modules enabled.