Safe configuration with reverse proxy

Hi there,

Currently I run two VM’s on my server: A -> Apache reverse proxy server and B-> homeassistant.
In the proxy server a subdomain is routed to B, so i’m able to visit my homeassistant with a subdomain.

But when a login fails, the notification in home assistant shows only the IP adress of A instead of the ‘real’ visitor.
I’ve found documentation from the http component, but it is not clear to my how to combine the right parameters like (use_x_forwarded_for, trusted_proxies, trusted_networks) to get a save configuration.

Can someone shows his configuration to get this work? Maybe we can this add to the documentation

Kind regards,
AJ

X-Forwarded-For and Trusted Proxy is safe to use providing the proxy is setting the X-Forwarded-For header to the client’s address; the security issue came from allowing the client to set this (faking it) and then having Trusted Network enabled.

The external user could fake the X-Forwarded-For and simply guess the users internal network range, 192.168.0.x, 172.16.0.x and 10.0.0.x are all really common.

I dont use Apache so can’t really advise you on that part.