From 033e352dc9b13d04a20895011e7ffa3f24fd2f42 Mon Sep 17 00:00:00 2001
From: Catherine Luse <catherine.luse@rancher.com>
Date: Fri, 25 Oct 2019 13:55:49 -0700
Subject: [PATCH] Document enabling forward host headers for NGINX 0.25.0

---
 .../ha/helm-rancher/chart-options/_index.md      | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md b/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
index 2d9d16bba1b..17c7a9b46b7 100644
--- a/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
+++ b/content/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/_index.md
@@ -156,6 +156,22 @@ You may terminate the SSL/TLS on a L7 load balancer external to the Rancher clus
 
 Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly.
 
+#### Enabling Forward Host Headers
+
+_For Rancher v2.3.0+, which uses NGINX 0.25.0_
+
+If you are using an NGINX ingress controller, you must edit the `cluster.yml` to enable the `use-forwarded-headers` option for ingress:
+
+```yaml
+ingress:
+  provider: nginx
+  options:
+    use-forwarded-headers: "true"
+```
+Version 0.22 of `ingress-nginx` had a [breaking change](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0220) in which the IP addreses for forwarded headers are not trusted by default. Rancher v2.2.x used `ingress-nginx` 0.21, while Rancher v2.3.x uses `ingress-nginx` 0.25.
+
+This change allows `ingress-nginx` to trust any client to extract true IP addresses from forwarded headers.
+
 #### Required Headers
 
 * `Host`