From 1b1bc34898593d596654e45815bea4761526386a Mon Sep 17 00:00:00 2001
From: Stebbi <stefan.sigurdsson@sensa.is>
Date: Fri, 29 May 2026 11:11:14 +0000
Subject: [PATCH] Fixing trusted proxies

---
 README.md                              | 1 +
 examples/compose/librenms.env          | 1 +
 examples/rrdcached-server/librenms.env | 1 +
 examples/traefik/librenms.env          | 1 +
 rootfs/etc/cont-init.d/03-config.sh    | 2 ++
 test/librenms.env                      | 1 +
 6 files changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 39f06e08..4a65b503 100644
--- a/README.md
+++ b/README.md
@@ -126,6 +126,7 @@ linux/s390x
 * `REAL_IP_FROM`: Trusted addresses that are known to send correct replacement addresses (default `0.0.0.0/32`)
 * `REAL_IP_HEADER`: Request header field whose value will be used to replace the client address (default `X-Forwarded-For`)
 * `LOG_IP_VAR`: Use another variable to retrieve the remote IP address for access [log_format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) on Nginx. (default `remote_addr`)
+* `APP_TRUSTED_PROXIES`: Trusted proxies for Laravel / LibreNMS proxy awareness (default `172.17.0.0/16,10.42.0.0/16`)
 * `SESSION_DRIVER`: [Driver to use for session storage](https://github.com/librenms/librenms/blob/master/config/session.php) (default `file`)
 * `CACHE_DRIVER`: [Driver to use for cache and locks](https://github.com/librenms/librenms/blob/master/config/cache.php) (default `database`)
 
diff --git a/examples/compose/librenms.env b/examples/compose/librenms.env
index a1d0492f..7b49e29c 100644
--- a/examples/compose/librenms.env
+++ b/examples/compose/librenms.env
@@ -5,6 +5,7 @@ OPCACHE_MEM_SIZE=128
 REAL_IP_FROM=0.0.0.0/32
 REAL_IP_HEADER=X-Forwarded-For
 LOG_IP_VAR=remote_addr
+APP_TRUSTED_PROXIES=172.17.0.0/16,10.42.0.0/16
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
diff --git a/examples/rrdcached-server/librenms.env b/examples/rrdcached-server/librenms.env
index 44da1f58..c07f6751 100644
--- a/examples/rrdcached-server/librenms.env
+++ b/examples/rrdcached-server/librenms.env
@@ -5,6 +5,7 @@ OPCACHE_MEM_SIZE=128
 REAL_IP_FROM=0.0.0.0/32
 REAL_IP_HEADER=X-Forwarded-For
 LOG_IP_VAR=remote_addr
+APP_TRUSTED_PROXIES=172.17.0.0/16,10.42.0.0/16
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
diff --git a/examples/traefik/librenms.env b/examples/traefik/librenms.env
index d650129d..2747ef26 100644
--- a/examples/traefik/librenms.env
+++ b/examples/traefik/librenms.env
@@ -5,6 +5,7 @@ OPCACHE_MEM_SIZE=128
 REAL_IP_FROM=0.0.0.0/32
 REAL_IP_HEADER=X-Forwarded-For
 LOG_IP_VAR=http_x_forwarded_for
+APP_TRUSTED_PROXIES=172.17.0.0/16,10.42.0.0/16
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis
diff --git a/rootfs/etc/cont-init.d/03-config.sh b/rootfs/etc/cont-init.d/03-config.sh
index 5b02a259..d91922e2 100644
--- a/rootfs/etc/cont-init.d/03-config.sh
+++ b/rootfs/etc/cont-init.d/03-config.sh
@@ -49,6 +49,7 @@ DB_USER=${DB_USER:-librenms}
 DB_TIMEOUT=${DB_TIMEOUT:-30}
 
 LIBRENMS_BASE_URL=${LIBRENMS_BASE_URL:-/}
+APP_TRUSTED_PROXIES=${APP_TRUSTED_PROXIES:-"172.17.0.0/16,10.42.0.0/16"}
 
 # Timezone
 echo "Setting timezone to ${TZ}..."
@@ -133,6 +134,7 @@ if [ -z "$DB_PASSWORD" ]; then
 fi
 cat >${LIBRENMS_PATH}/.env <<EOL
 APP_URL=${LIBRENMS_BASE_URL}
+APP_TRUSTED_PROXIES=${APP_TRUSTED_PROXIES}
 DB_HOST=${DB_HOST}
 DB_PORT=${DB_PORT}
 DB_DATABASE=${DB_NAME}
diff --git a/test/librenms.env b/test/librenms.env
index a1d0492f..7b49e29c 100644
--- a/test/librenms.env
+++ b/test/librenms.env
@@ -5,6 +5,7 @@ OPCACHE_MEM_SIZE=128
 REAL_IP_FROM=0.0.0.0/32
 REAL_IP_HEADER=X-Forwarded-For
 LOG_IP_VAR=remote_addr
+APP_TRUSTED_PROXIES=172.17.0.0/16,10.42.0.0/16
 
 CACHE_DRIVER=redis
 SESSION_DRIVER=redis