Configure trusted proxies

When Cyberwatch is placed behind one or more proxies (such as a load balancer, reverse proxy, or security proxy), it is necessary to configure the TRUSTED_PROXIES variable to indicate to Cyberwatch which proxies are trusted. This configuration allows Cyberwatch to obtain the correct client IP addresses in sessions and logs, using the appropriate HTTP headers (such as X-Forwarded-For) instead of the proxy’s IP address.

Only the IP addresses of trusted proxies will be used to determine the real client IP address. Make sure to include only proxies that you control and trust.

Configuration

With Docker Swarm and Podman

  1. Add the TRUSTED_PROXIES environment variable to the /etc/cyberwatch/config.env file:

    TRUSTED_PROXIES="10.0.0.1,10.0.0.2"

    You can specify:

    • A single IP address: TRUSTED_PROXIES="10.0.0.1"
    • Multiple IP addresses separated by commas: TRUSTED_PROXIES="10.0.0.1,10.0.0.2,192.168.1.100"
    • One or more CIDR networks: TRUSTED_PROXIES="10.0.0.0/24"

  2. Restart Cyberwatch:

    sudo cyberwatch restart

With Kubernetes

  1. Add the TRUSTED_PROXIES environment variable to global.env in the values.yml file:

    global:
  env:
    ## Trusted proxy IP addresses or CIDR ranges
    ## Allows Cyberwatch to correctly identify client IP addresses when behind proxies
    TRUSTED_PROXIES: "10.0.0.1,10.0.0.2"

    You can specify:

    • A single IP address: TRUSTED_PROXIES: "10.0.0.1"
    • Multiple IP addresses separated by commas: TRUSTED_PROXIES: "10.0.0.1,10.0.0.2,192.168.1.100"
    • One or more CIDR networks: TRUSTED_PROXIES: "10.0.0.0/24"

  2. Restart Cyberwatch by following the procedure described in Update Cyberwatch application and the orchestrator base on Kubernetes

Verification

After configuration, you can verify that IP addresses are correctly detected by consulting session logs or checking the IP addresses recorded in the Cyberwatch interface.

Disable trusted proxy management

If nothing is configured, the Cyberwatch application uses the default proxies listed in RFC 1918 which are used for private networks. It is possible to disable these default proxies by setting the TRUSTED_PROXIES variable to none.

For Docker Swarm:

TRUSTED_PROXIES="none"

For Kubernetes:

global:
  env:
    TRUSTED_PROXIES: "none"

Back to top