[docs] Revamp trusted proxies warning a bit (#4365)

Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/4352 by mentioning required headers in reverse proxy. Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4365 Co-authored-by: tobi <tobi.smethurst@protonmail.com> Co-committed-by: tobi <tobi.smethurst@protonmail.com>
2025-10-28 06:22:26 -05:00 · 2025-08-11 16:23:55 +02:00 · 2025-08-11 16:23:55 +02:00 · cead741c16
commit cead741c16
parent e565855540
2 changed files with 11 additions and 5 deletions
--- a/docs/configuration/trusted_proxies.md
+++ b/docs/configuration/trusted_proxies.md
@ -2,11 +2,14 @@

 To correctly enforce [rate limiting](../api/ratelimiting.md), GoToSocial relies on the concept of "trusted proxies" in order to accurately determine the IP address of clients accessing your server.

-A "trusted proxy" is an intermediate network hop that GoToSocial can be instructed to trust to provide a correct client IP address.
+A "trusted proxy" is an intermediate network hop that GoToSocial can be instructed to trust to provide a correct client IP address via an `X-Forwarded-For` or `X-Real-IP` header.

 For example, if you are running in a reverse proxy configuration with Docker + Nginx, then the Docker network address of Nginx should be configured as a trusted proxy, since all traffic from the wider internet will come into GoToSocial via Nginx.

-Without setting `trusted-proxies` correctly, GoToSocial will see all incoming client IP addresses as the same address, which leads to rate limiting issues, since GoToSocial uses client IP addresses to bucket rate limits.
+If `trusted-proxies` is not set correctly, GoToSocial will see all incoming client IP addresses as the same address. This will lead to rate limiting issues, since GoToSocial uses client IP addresses to bucket rate limits.
+
+!!! tip
+    If you reached this page via the trusted proxies warning on a GoToSocial page, and the suggested address to add is `127.0.0.1`, then before you try any of the other troubleshooting steps, ensure that your reverse proxy is configured to correctly pass either `X-Forwarded-For` or `X-Real-IP`.

 ## tl;dr: How to set `trusted-proxies` correctly

--- a/web/template/page_header.tmpl
+++ b/web/template/page_header.tmpl
@ -21,14 +21,17 @@
 {{- .with }}
 <div class="trusted-proxies-rec">
    <p>
-        <strong>Warning!</strong> It looks like <code>trusted-proxies</code> is not set correctly in this instance's configuration.
+        <strong>Warning!</strong> It looks like either <code>trusted-proxies</code> is not set correctly in this instance's configuration,
+        or the upstream reverse proxy is not passing an appropriate <code>X-Forwarded-For</code> or <code>X-Real-IP</code> header.
+    </p>
+    <p>
        This may cause rate-limiting issues and, by extension, federation issues.
    </p>
    <p>
-        If you are the instance admin, you should fix this by adding <code>{{- .trustedProxiesRec -}}</code> to your <code>trusted-proxies</code>.
+        If you are the instance admin, you may be able to fix this by adding <code>{{- .trustedProxiesRec -}}</code> to your <code>trusted-proxies</code>.
    </p>
    <p>
-        For more information, see
+        For more information and other possible fixes for this issue, see
        <a
            href="https://docs.gotosocial.org/en/latest/configuration/trusted_proxies/"
            rel="nofollow noreferrer noopener"