Configuring Trust Proxy Headers

Why trust proxy headers?

When your server sits behind a reverse proxy like Cloudflare, AWS ALB, or a load balancer, your applications see the proxy's IP address instead of the real visitor's IP. This breaks:

• Rate limiting — all requests appear to come from one IP
• Geolocation — location data is wrong
• IP block lists — you can't block individual visitors
• Audit logs — request.ip returns the proxy IP

Trust Proxy Headers tells Traefik to read the real client IP from forwarded headers (X-Forwarded-For, X-Real-IP).

Using provider presets

Server Compass includes built-in presets for common providers:

1. Go to Server Settings > Proxy tab
2. Open the Trust Proxy Headers section
3. Select a preset from the dropdown:
   • Cloudflare — auto-fills all Cloudflare IPv4/IPv6 CIDR ranges
   • AWS ALB/ELB — enter your VPC CIDR (e.g., 10.0.0.0/16)
   • DigitalOcean Load Balancer — enter your VPC CIDR
   • Hetzner Load Balancer — enter your private network CIDR
   • Custom — manually add trusted IP ranges
4. Click Save — Traefik restarts automatically

PROXY Protocol (advanced)

For load balancers like AWS NLB or HAProxy that use PROXY Protocol instead of HTTP headers:

1. Expand the Proxy Protocol section
2. Enable PROXY Protocol
3. Add the trusted IP ranges for your load balancer
4. Save — Traefik is configured to accept PROXY Protocol on both HTTP and HTTPS entrypoints

Safety and rollback

Server Compass protects against misconfiguration:

• Automatic backup — traefik.yml is backed up before every change
• Health check — after restarting Traefik, Server Compass verifies the container is running
• Auto-rollback — if Traefik fails to start, the backup is restored and Traefik is restarted with the previous config
• Insecure mode warning — "Trust All Sources" is flagged as development-only and vulnerable to IP spoofing