coder
diff --git a/‎cli/deployment/flags.go
+12 b/‎cli/deployment/flags.go
+12
diff --git a/‎cli/server.go
+7 b/‎cli/server.go
+7
diff --git a/‎coderd/coderd.go
+2 b/‎coderd/coderd.go
+2
diff --git a/‎coderd/coderdtest/coderdtest.go
+3 b/‎coderd/coderdtest/coderdtest.go
+3
@@ -236,6 +236,18 @@ func Flags() *codersdk.DeploymentFlags {
 			Description: "Scopes to grant when authenticating with OIDC.",
 			Default:     []string{oidc.ScopeOpenID, "profile", "email"},
 		},
+		ProxyTrustedHeaders: &codersdk.StringArrayFlag{
+			Name:        "Trusted HTTP Proxy Headers",
+			Flag:        "proxy-trusted-headers",
+			EnvVar:      "CODER_PROXY_TRUSTED_HEADERS",
+			Description: "Headers to trust for forwarding IP addresses. e.g. \"X-Forwarded-for\"",
+		},
+		ProxyTrustedOrigins: &codersdk.StringArrayFlag{
+			Name:        "Trusted HTTP Proxy Origins",
+			Flag:        "proxy-trusted-origins",
+			EnvVar:      "CODER_PROXY_TRUSTED_ORIGINS",
+			Description: "Origin addresses to respect \"proxy-trusted-headers\".",
+		},
 		TelemetryEnable: &codersdk.BoolFlag{
 			Name:        "Telemetry Enabled",
 			Flag:        "telemetry",
 
@@ -56,6 +56,7 @@ import (
 	"github.com/coder/coder/coderd/devtunnel"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/prometheusmetrics"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/tracing"
@@ -321,6 +322,11 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				}
 			}
 
+			realIPConfig, err := httpmw.ParseRealIPConfig(dflags.ProxyTrustedHeaders.Value, dflags.ProxyTrustedOrigins.Value)
+			if err != nil {
+				return xerrors.Errorf("parse real ip config: %w", err)
+			}
+
 			options := &coderd.Options{
 				AccessURL:                   accessURLParsed,
 				AppHostname:                 appHostname,
@@ -332,6 +338,7 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				CacheDir:                    dflags.CacheDir.Value,
 				GoogleTokenValidator:        googleTokenValidator,
 				SecureAuthCookie:            dflags.SecureAuthCookie.Value,
+				RealIPConfig:                realIPConfig,
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,
 				Telemetry:                   telemetry.NewNoop(),
 
@@ -82,6 +82,7 @@ type Options struct {
 	Telemetry            telemetry.Reporter
 	TracerProvider       trace.TracerProvider
 	AutoImportTemplates  []AutoImportTemplate
+	RealIPConfig         *httpmw.RealIPConfig
 
 	// TLSCertificates is used to mesh DERP servers securely.
 	TLSCertificates    []tls.Certificate
@@ -198,6 +199,7 @@ func New(options *Options) *API {
 	r.Use(
 		httpmw.AttachRequestID,
 		httpmw.Recover(api.Logger),
+		httpmw.ExtractRealIP(api.RealIPConfig),
 		httpmw.Logger(api.Logger),
 		httpmw.Prometheus(options.PrometheusRegistry),
 		// handleSubdomainApplications checks if the first subdomain is a valid
 
@@ -57,6 +57,7 @@ import (
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/util/ptr"
@@ -77,6 +78,7 @@ type Options struct {
 	Experimental         bool
 	AzureCertificates    x509.VerifyOptions
 	GithubOAuth2Config   *coderd.GithubOAuth2Config
+	RealIPConfig         *httpmw.RealIPConfig
 	OIDCConfig           *coderd.OIDCConfig
 	GoogleTokenValidator *idtoken.Validator
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
@@ -238,6 +240,7 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 			AWSCertificates:      options.AWSCertificates,
 			AzureCertificates:    options.AzureCertificates,
 			GithubOAuth2Config:   options.GithubOAuth2Config,
+			RealIPConfig:         options.RealIPConfig,
 			OIDCConfig:           options.OIDCConfig,
 			GoogleTokenValidator: options.GoogleTokenValidator,
 			SSHKeygenAlgorithm:   options.SSHKeygenAlgorithm,