diff --git a/content/en/admin/config.md b/content/en/admin/config.md index 431754d0..b5b06a68 100644 --- a/content/en/admin/config.md +++ b/content/en/admin/config.md @@ -202,7 +202,17 @@ Determines the amount of logs generated by Mastodon. Defaults to `info`, which g #### `TRUSTED_PROXY_IP` -If your Mastodon web process is on the same machine as your reverse proxy (e.g. nginx), then you don't need this setting. Otherwise, you need to set it to the IP from which your reverse proxy sends requests to Mastodon's web process, otherwise Mastodon will record the reverse proxy's own IP as the IP of all requests, which would be bad because IP addresses are used for important rate limits and security functions. +Tells the Mastodon web and streaming processes which IPs act as your trusted reverse proxy (e.g. nginx, Cloudflare). It affects how Mastodon determines the source IP of each request, which is used for important rate limits and security functions. If the value is set incorrectly then Mastodon could use the IP of the reverse proxy instead of the actual source. + +By default the loopback and private network address ranges are trusted. Specifically: + * `127.0.0.1/8` + * `::1/128` + * `10.0.0.0/8` + * `172.16.0.0/12` + * `192.168.0.0/16` + * `fc00::/7` + +If you're using a single reverse proxy and it runs on the same machine or is in the same private network as your Mastodon web and streaming processes then you most likely don't need to modify this setting and can use the default. Or if you're using multiple reverse proxy servers and they're all in the same private network as your Mastodon web and streaming processes then, again, the default should be fine. However, if you're using a reverse proxy server that reaches your Mastodon web and streaming servers via a public IP address (for example if you're using Cloudflare or a similar proxy) then you'll need to set this variable. It should be the IPs of all reverse proxies in use, as a comma-separated list of IPs or IP ranges using [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation). Note that when this variable is set the default ranges (mentioned above) will no longer be trusted, so if you have both an external reverse proxy _and_ a proxy on localhost then you must include the IPs (or IP ranges) of both. #### `SOCKET` @@ -656,4 +666,4 @@ Defaults to `512`. #### `GITHUB_API_TOKEN` -Used in a rake task for generating AUTHORS.md from Github commit history. \ No newline at end of file +Used in a rake task for generating AUTHORS.md from Github commit history.