diff --git a/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md b/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
index 2d9d16bba1b..17c7a9b46b7 100644
--- a/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
+++ b/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
@@ -156,6 +156,22 @@ You may terminate the SSL/TLS on a L7 load balancer external to the Rancher clus
 
 Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly.
 
+#### Enabling Forward Host Headers
+
+_For Rancher v2.3.0+, which uses NGINX 0.25.0_
+
+If you are using an NGINX ingress controller, you must edit the `cluster.yml` to enable the `use-forwarded-headers` option for ingress:
+
+```yaml
+ingress:
+  provider: nginx
+  options:
+    use-forwarded-headers: "true"
+```
+Version 0.22 of `ingress-nginx` had a [breaking change](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0220) in which the IP addreses for forwarded headers are not trusted by default. Rancher v2.2.x used `ingress-nginx` 0.21, while Rancher v2.3.x uses `ingress-nginx` 0.25.
+
+This change allows `ingress-nginx` to trust any client to extract true IP addresses from forwarded headers.
+
 #### Required Headers
 
 * `Host`