[docs] Clarify that reverse proxy setups need trusted-proxies (#1127)

* [docs] Clarify that reverse proxy setups need trusted-proxies

* Remove the jq usage

1 files changed, 29 insertions, 0 deletions

diff --git a/docs/installation_guide/docker.md b/docs/installation_guide/docker.md
index 4a59d7d25..aa98403ee 100644
--- a/docs/installation_guide/docker.md
+++ b/docs/installation_guide/docker.md
@@ -98,6 +98,35 @@ If you want to use [LetsEncrypt](../configuration/letsencrypt.md) for ssl certif
 2. Remove the `#` before `- "80:80"` in the `ports` section.
 3. (Optional) Set `GTS_LETSENCRYPT_EMAIL_ADDRESS` to a valid email address to receive certificate expiry warnings etc.
 
+#### Reverse proxies
+
+The default port bindings are for exposing GoToSocial directly and publicly. Remove the `#` in front the line that forwards `127.0.0.1:8080:8080` which makes port `8080` available only to the local host. Change that `127.0.0.1` if the reverse proxy is somewhere else.
+
+To ensure [rate limiting](../api/ratelimiting.md) by IP works, remove the `#` in front of `GTS_TRUSTED_PROXIES` and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the `Gateway` field of the docker network.
+
+```text
+$ docker network inspect gotosocial_gotosocial
+[
+    {
+        "Name": "gotosocial_gotosocial",
+        [...]
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "172.19.0.0/16",
+                    "Gateway": "172.19.0.1"
+                }
+            ]
+        },
+        [...]
+```
+
+In the example above, it would be `172.19.0.1`.
+
+If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the `clientIP` from the docker logs.
+
 ### Start GoToSocial
 
 With those small changes out of the way, you can now start GoToSocial with the following command: