Pass X-Forwarded-For and X-Forwarded-Proto headers as HTTP_X-FORWARDED-FOR and HTTP_X-FORWARDED-PROTO variables in the tracker environment array. Neither of these variables should be used by the code code unless config.ini params are added to control their use. I use the FORWARDED-FOR variable to disable the reCAPTCHA extenxaion check if it is a local address using: if 'HTTP_X-FORWARDED-FOR' in self.client.env: # if proxied from client at local site, don't validate captcha # used for running automated tests. clientip=self.client.env['HTTP_X-FORWARDED-FOR'].split(',')[0] if clientip.startswith("192.168.10."): secret="none" I run a front end web server that proxies over loopback to the running roundup-server. So I feel I can trust the X-Forwarded-For header. In other setup's that may not be true. Hence the requirement that it not be used in core roundup code without allowing the roundup admin the ability to disable it.