Forgejo's docker containers had `REVERSE_PROXY_TRUSTED_PROXIES = *` configured in them by default. In the event that the Forgejo sysadmin set the docker environment variable `FORGEJO__service__ENABLE_REVERSE_PROXY_AUTHENTICATION` to the value `true`, *and* an unauthorized user could access Forgejo without traversing a reverse proxy performing authentication, then an unauthorized user could use the `X-WebAuth-User` HTTP header to impersonate any user. While this is an unlikely set of configuration settings, it seems more prudent for the Forgejo to require a sysadmin to choose an appropriate value for `REVERSE_PROXY_TRUSTED_PROXIES`. Even in a containerized environment, this value can be used safely and set to reasonable values if firewall-level networking is in use (eg. using [Docker with iptables](https://docs.docker.com/engine/network/firewall-iptables/)), which is the common default for docker systems in 2026.
The intent of this PR is to change the default in Forgejo 16, and to mark it as a breaking change for highlighting in the release notes. The risk of misconfiguration is not high enough to backport this breaking change to earlier Forgejo releases.
If a sysadmin wants to use the previous configuration, they can set the environment variable `FORGEJO__service__REVERSE_PROXY_TRUSTED_PROXIES` to the value `*`, but it would be recommended that they revise the setting to a narrower set of trusted IPs that they expect reverse proxy connections from. See the [`[security]`](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security) config block for more information.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12782
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
There was a mistake when choosing the structure for the repo avatars parent folder and it added a spurious /gitea.
The `data` directory should contain folders like:
- `attachments/`
- `avatars/`
- `log/`
- `repo-avatars/`
* Switch to non-deprecation setting
(Avoid by-default: "Deprecated fallback `[server]` `LFS_CONTENT_PATH` present. Use `[lfs]` `PATH` instead. This fallback will be removed in v1.18.0")
* Update all references
* Add reverse proxy configuration support for remote IP address validation
* Trust all IP addresses in containerized environments by default
* Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* docker: rootless image
* improve docs + remove check for write perm on custom
* add more info on ssh passtrough
* Add comment for internal ssh server in container config