SecurityTrusted Proxies

Trusted Proxies

When a reverse proxy, CDN, or load balancer sits between visitors and the Signal ingestion gateway, the network connection arrives from the proxy — not the real visitor. The gateway needs to know which IP ranges belong to your proxy infrastructure so it can identify the visitor behind it.

Signal’s Trusted Proxies list is the source of truth. Configure it once, and the gateway uses it to extract the real client IP from every incoming event. Changes take effect within 30 seconds — no restart needed.

When you need it

You need to configure trusted proxies when any of the following sits between your visitors and Signal:

  • A CDN — Cloudflare, AWS CloudFront, Fastly, Akamai, etc.
  • A cloud load balancer — AWS ALB/NLB, Google Cloud Load Balancing, Azure Application Gateway
  • A reverse proxy you operate yourself — nginx, HAProxy, Traefik, Envoy

If Signal is exposed directly to the public internet with nothing in front of it, the gateway records the real client IP automatically and you can skip this section.

Signal ships with the three RFC1918 private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) trusted by default. These cover internal Kubernetes pod networks, Docker bridges, and most internal LBs — most deployments need to add only the public-facing CDN ranges on top.

How to configure it

Trusted proxies are managed in the Signal management UI. Open Settings → Trusted Proxies.

The page has three sections you’ll work with most:

  1. Add from preset — pick a vendor (Cloudflare, AWS CloudFront, Fastly, GCP HTTPS LB) and apply its current CIDR ranges in one click. For Cloudflare / AWS CloudFront / Fastly, you can also subscribe to weekly auto-refresh so the list stays current as the vendor updates it.
  2. Add custom CIDR — for proxies not in the preset library (your own internal LBs, vendors with private IP allocations, AWS ALB ranges in your VPC, etc.). Use the smallest range that covers your proxy.
  3. Active list — every trusted CIDR with its label, status, and last-update timestamp. Disable a row to temporarily exclude it; delete to remove permanently.

Subscribing to auto-refresh

For the three vendors with publicly-published CIDR feeds (Cloudflare, AWS CloudFront, Fastly), the management API can fetch the latest ranges directly from the vendor on a weekly schedule. This keeps your trust list current without any manual upkeep.

When you apply one of these presets, leave the “Subscribe to auto-refresh (recommended)” checkbox ticked. Signal will:

  • Fetch the vendor’s published list immediately
  • Insert the current ranges into your trusted proxies
  • Register your deployment to re-fetch the list every 7 days
  • Reconcile additions and removals automatically — new vendor ranges are added, retired ranges are removed

The Active subscriptions section shows you the last refresh time, what changed (e.g. “+3 / -1”), and whether the last refresh succeeded. You can also click Refresh now at any time to trigger an immediate update.

To stop auto-refreshing, click Unsubscribe. This also removes the vendor’s managed CIDRs from your trust list. Any custom CIDRs you added manually are untouched.

Verifying the configuration

The Test resolution tool at the bottom of the page lets you confirm your configuration before relying on it for live traffic. Paste the request fields you’d expect Signal to see — typically:

  • Remote address — the IP of whatever connects directly to Signal (your proxy’s egress IP)
  • X-Forwarded-For — the chain the proxy added (real client IP, possibly followed by intermediate hops)
  • CF-Connecting-IP (Cloudflare only) — the real client IP, set by Cloudflare

Click Test resolution. Signal shows the IP that would be recorded as Context.IP on an event with those headers, plus a step-by-step trace of how the chain was walked.

If the test shows the correct visitor IP, your configuration is working. If it shows the proxy’s IP instead — or displays “Headers ignored (connecting peer not trusted)” — add the proxy’s IP range to the trusted list.

What happens if the list is wrong

Missing a CIDR you should trust. The proxy’s IP gets recorded as the visitor IP. Bot detection may flag legitimate traffic as datacenter sources. Fix: add the proxy’s range to the trusted list. Effects propagate within 30 seconds.

Trusting too broadly (e.g. trusting 0.0.0.0/0). Anyone who connects directly to Signal can forge an X-Forwarded-For header and impersonate any IP. Always use the smallest range that covers your proxy infrastructure, never a wildcard.

Vendor changed their published ranges. If you’ve subscribed to auto-refresh, this is handled automatically on the next weekly cycle. For manual / custom CIDRs, you’ll need to update them yourself.

Air-gapped deployments

If your Signal deployment has no outbound internet access, the auto-refresh subscriptions can’t reach vendor URLs. You have two options:

  • Apply presets as snapshots — uncheck “Subscribe to auto-refresh” when applying. Signal uses the CIDR list bundled with your Signal version. When you upgrade Signal, the bundled lists refresh too.
  • Use custom CIDRs — manage the full list manually using your operational change-control process.
OverviewOverview