[docs] Clarify that reverse proxy setups need trusted-proxies (#1127)

* [docs] Clarify that reverse proxy setups need trusted-proxies * Remove the jq usage
2025-11-18 09:37:28 -06:00 · 2022-11-23 16:10:56 +01:00 · 2022-11-23 16:10:56 +01:00 · 8942a70856
commit 8942a70856
parent 5ba5fb3154
5 changed files with 40 additions and 0 deletions
--- a/docs/installation_guide/docker.md
+++ b/docs/installation_guide/docker.md
@ -98,6 +98,35 @@ If you want to use [LetsEncrypt](../configuration/letsencrypt.md) for ssl certif
 2. Remove the `#` before `- "80:80"` in the `ports` section.
 3. (Optional) Set `GTS_LETSENCRYPT_EMAIL_ADDRESS` to a valid email address to receive certificate expiry warnings etc.

+#### Reverse proxies
+
+The default port bindings are for exposing GoToSocial directly and publicly. Remove the `#` in front the line that forwards `127.0.0.1:8080:8080` which makes port `8080` available only to the local host. Change that `127.0.0.1` if the reverse proxy is somewhere else.
+
+To ensure [rate limiting](../api/ratelimiting.md) by IP works, remove the `#` in front of `GTS_TRUSTED_PROXIES` and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the `Gateway` field of the docker network.
+
+```text
+$ docker network inspect gotosocial_gotosocial
+[
+    {
+        "Name": "gotosocial_gotosocial",
+        [...]
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "172.19.0.0/16",
+                    "Gateway": "172.19.0.1"
+                }
+            ]
+        },
+        [...]
+```
+
+In the example above, it would be `172.19.0.1`.
+
+If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the `clientIP` from the docker logs.
+
 ### Start GoToSocial

 With those small changes out of the way, you can now start GoToSocial with the following command: