diff --git a/config.example.yml b/config.example.yml
index 2cf2c35d..46350d66 100644
--- a/config.example.yml
+++ b/config.example.yml
@@ -23,6 +23,10 @@ server:
 
   responseheaders: # response headers are added to every response (default: none)
 #    X-Custom-Header: "custom value"
+#
+  trustedproxies: # IPs or IP ranges of trusted proxies. Used to obtain the remote ip via the X-Forwarded-For header. (configure 127.0.0.1 to trust sockets)
+#   - 127.0.0.1/32
+#   - ::1
 
   cors: # Sets cors headers only when needed and provides support for multiple allowed origins. Overrides Access-Control-* Headers in response headers.
     alloworigins:
diff --git a/config/config.go b/config/config.go
index a1410c1f..a8fbc2fe 100644
--- a/config/config.go
+++ b/config/config.go
@@ -39,6 +39,8 @@ type Configuration struct {
 			AllowMethods []string
 			AllowHeaders []string
 		}
+
+		TrustedProxies []string
 	}
 	Database struct {
 		Dialect    string `default:"sqlite3"`
diff --git a/router/router.go b/router/router.go
index 228b672e..8b1d3641 100644
--- a/router/router.go
+++ b/router/router.go
@@ -27,6 +27,17 @@ import (
 func Create(db *database.GormDatabase, vInfo *model.VersionInfo, conf *config.Configuration) (*gin.Engine, func()) {
 	g := gin.New()
 
+	g.RemoteIPHeaders = []string{"X-Forwarded-For"}
+	g.SetTrustedProxies(conf.Server.TrustedProxies)
+	g.ForwardedByClientIP = true
+
+	g.Use(func(ctx *gin.Context) {
+		// Map sockets "@" to 127.0.0.1, because gin-gonic can only trust IPs.
+		if ctx.Request.RemoteAddr == "@" {
+			ctx.Request.RemoteAddr = "127.0.0.1:65535"
+		}
+	})
+
 	g.Use(gin.LoggerWithFormatter(logFormatter), gin.Recovery(), gerror.Handler(), location.Default())
 	g.NoRoute(gerror.NotFound())