diff --git a/README.md b/README.md
index ea77ea8..f0037b4 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,12 @@ docker run \
 Remember if you are on a public server you don't need to do this, you can
 set `HTTPS=auto` and have Traefik + Let's Encrypt do the work for you.
 
+If you run the omnibus behind a separate reverse proxy that terminates SSL, then you should
+`HTTPS=external`, and set an additional environment variable `TRUSTED_PROXY_IPS` to the IP
+address or IP range of the proxy. This may be a comma-separated list, e.g.
+`127.0.0.1/32,192.168.1.7`. See Traefik's [forwarded
+headers](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers).
+
 You can change `dex.yaml` (for example, to fill in keys for Google
 and Microsoft sign-ins, or to remove them) and then either rebuild
 the image or (easier) make the custom settings available to the omnibus
diff --git a/run.js b/run.js
index 15b6b90..db308fb 100755
--- a/run.js
+++ b/run.js
@@ -94,9 +94,14 @@ function startTraefik() {
   if (process.env.HTTPS) {
     flags.push("--entrypoints.websecure.address=:443")
   }
+  let TFA_TRUST_FORWARD_HEADER = 'false';
+  if (process.env.TRUSTED_PROXY_IPS) {
+    flags.push(`--entryPoints.web.forwardedHeaders.trustedIPs=${process.env.TRUSTED_PROXY_IPS}`)
+    TFA_TRUST_FORWARD_HEADER = 'true';
+  }
   log.info("Calling traefik", flags);
   essentialProcess("traefik", child_process.spawn('traefik', flags, {
-    env: process.env,
+    env: {...process.env, TFA_TRUST_FORWARD_HEADER},
     stdio: 'inherit',
     detached: true,
   }));
diff --git a/traefik.yaml b/traefik.yaml
index 7c5636e..1d843ff 100644
--- a/traefik.yaml
+++ b/traefik.yaml
@@ -22,6 +22,7 @@ http:
       forwardauth:
         address: 'http://127.0.0.1:{{ env "TFA_PORT" }}'
         authResponseHeaders: [ '{{ env "GRIST_FORWARD_AUTH_HEADER" }}' ]
+        trustForwardHeader: '{{ env "TFA_TRUST_FORWARD_HEADER" }}'
     no-fwd:
       headers:
         customRequestHeaders: