Behind a load balancer
If running behind Cloudflare, nginx, or another reverse proxy:
- Set
tls.mode: "off"in config - Set
listen_addr: ":80"(or whatever port the LB forwards to) - The LB handles TLS termination
Trusted proxies
Section titled “Trusted proxies”To preserve real client IPs for rate limiting and account lockout, configure trusted_proxies:
trusted_proxies: - "127.0.0.1" - "10.0.0.1"When the direct connection comes from a trusted proxy, the client IP is extracted from X-Forwarded-For (rightmost untrusted entry). Without this config, RemoteAddr is used directly.
See also: TLS and HTTPS, Security hardening.