Subnet as trusted proxies?

Hello everyone,

I followed carefully the documentation here to configure my nginx for HA (

The problem I have is that I have nginx running in containers in a swarm. Basically, I have 5 nodes running nginx in containers.

BTW, HA is also running in my swarm (if anyone need information on that I can help with the macvlan or how to discover the server or register the IP in DNS leveraging Bonjour).

HA works solid when accessing it with its IP. Through NGINX, outside or inside my LAN (hairpin for inside) I got a lot of 502 responses. After some investigations I understood that it might be because I need to whitelist the NGINX proxy in HA configuration.

Did that with the 5 IPs (my 5 nginx). Situation is pretty better. Still have some 502 here and then but pretty rare. Still have some issues sometime between LTE and Wifi but I guess this is tied to the tokens, not sure. seems better with recent releeases).

The problem: those IPs (ngninx proxy) are not fixed. In swarm I may run one or more ngninx server per node and even if just one per node it gets its IP dynamically.

The situation is even worst when there is a redirection from the ingress network.

QUestion is: can we whitelist a complete subnet instead of a list of IPs? Or is there another way to allow any proxy? Or do you have any suggestion appart from installing another ngninx proxy somewhere else in the network?

Any help would be appreciated!
Thank you and have a nice we,



hum, not sure to get it correctly. Adding the header in nginx would replace the need of trusted proxy configuration in HA?

My understanding was that this was only when using basic auth that is obsolete now.

Or should I do the opposite and reset it…