From cead741c1646f0bd53746164df6b84ae1c83bd77 Mon Sep 17 00:00:00 2001
From: tobi <tobi.smethurst@protonmail.com>
Date: Mon, 11 Aug 2025 16:23:55 +0200
Subject: [PATCH] [docs] Revamp trusted proxies warning a bit (#4365)

Closes https://codeberg.org/superseriousbusiness/gotosocial/issues/4352 by mentioning required headers in reverse proxy.

Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4365
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Co-committed-by: tobi <tobi.smethurst@protonmail.com>
---
 docs/configuration/trusted_proxies.md | 7 +++++--
 web/template/page_header.tmpl         | 9 ++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/configuration/trusted_proxies.md b/docs/configuration/trusted_proxies.md
index 36299519e..4dc9e8aea 100644
--- a/docs/configuration/trusted_proxies.md
+++ b/docs/configuration/trusted_proxies.md
@@ -2,11 +2,14 @@
 
 To correctly enforce [rate limiting](../api/ratelimiting.md), GoToSocial relies on the concept of "trusted proxies" in order to accurately determine the IP address of clients accessing your server.
 
-A "trusted proxy" is an intermediate network hop that GoToSocial can be instructed to trust to provide a correct client IP address.
+A "trusted proxy" is an intermediate network hop that GoToSocial can be instructed to trust to provide a correct client IP address via an `X-Forwarded-For` or `X-Real-IP` header.
 
 For example, if you are running in a reverse proxy configuration with Docker + Nginx, then the Docker network address of Nginx should be configured as a trusted proxy, since all traffic from the wider internet will come into GoToSocial via Nginx.
 
-Without setting `trusted-proxies` correctly, GoToSocial will see all incoming client IP addresses as the same address, which leads to rate limiting issues, since GoToSocial uses client IP addresses to bucket rate limits.
+If `trusted-proxies` is not set correctly, GoToSocial will see all incoming client IP addresses as the same address. This will lead to rate limiting issues, since GoToSocial uses client IP addresses to bucket rate limits.
+
+!!! tip
+    If you reached this page via the trusted proxies warning on a GoToSocial page, and the suggested address to add is `127.0.0.1`, then before you try any of the other troubleshooting steps, ensure that your reverse proxy is configured to correctly pass either `X-Forwarded-For` or `X-Real-IP`.
 
 ## tl;dr: How to set `trusted-proxies` correctly
 
diff --git a/web/template/page_header.tmpl b/web/template/page_header.tmpl
index ba9cf6e72..f8b01fd02 100644
--- a/web/template/page_header.tmpl
+++ b/web/template/page_header.tmpl
@@ -21,14 +21,17 @@
 {{- .with }}
 <div class="trusted-proxies-rec">
     <p>
-        <strong>Warning!</strong> It looks like <code>trusted-proxies</code> is not set correctly in this instance's configuration.
+        <strong>Warning!</strong> It looks like either <code>trusted-proxies</code> is not set correctly in this instance's configuration,
+        or the upstream reverse proxy is not passing an appropriate <code>X-Forwarded-For</code> or <code>X-Real-IP</code> header.
+    </p>
+    <p>
         This may cause rate-limiting issues and, by extension, federation issues.
     </p>
     <p>
-        If you are the instance admin, you should fix this by adding <code>{{- .trustedProxiesRec -}}</code> to your <code>trusted-proxies</code>.
+        If you are the instance admin, you may be able to fix this by adding <code>{{- .trustedProxiesRec -}}</code> to your <code>trusted-proxies</code>.
     </p>
     <p>
-        For more information, see
+        For more information and other possible fixes for this issue, see
         <a
             href="https://docs.gotosocial.org/en/latest/configuration/trusted_proxies/"
             rel="nofollow noreferrer noopener"