diff --git a/config/vufind/config.ini b/config/vufind/config.ini
index 52010e2edb2a89c468242bb64ba3355d4733f8c6..39771e53ff457117679c566eeafe513c5c204aba 100644
--- a/config/vufind/config.ini
+++ b/config/vufind/config.ini
@@ -1375,11 +1375,54 @@ url             = https://www.myendnoteweb.com/EndNoteWeb.html
 ; curl adapter for HTTP requests.
 ;type = socks5
 ;type = socks5_hostname
-; This setting can be used to define a reqular expression pattern for addresses that
-; should be considered local and bypass proxy when making requests. Default is:
-;local_addresses = "@^(localhost|127(\.\d+){3}|\[::1\])@"
-; Following example bypasses also any address starting with '192.168.':
-;local_addresses = "@^(localhost|127(\.\d+){3}|\[::1\]|192\.168\.)@"
+
+; If VuFind is running behind a proxy that uses X-Real-IP/X-Forwarded-For headers,
+; you should configure this setting on so that VuFind reports correct user IP
+; addresses, and sets permissions appropriately. CONFIGURE THIS WITH CARE! It is
+; possible to spoof IP addresses, and configuring this to differentiate between
+; legitimate headers from your proxy and spoofed values is critical to protecting
+; your content.
+;
+; The setting should be an ordered, comma-separated list of headers, with optional
+; colon-separated modifiers specifying behavior.
+;
+; Header values can be any keys in PHP's $_SERVER superglobal array; these are
+; the most commonly used options:
+; - HTTP_X_FORWARDED_FOR
+; - HTTP_X_REAL_IP
+;
+; Supported behaviors (if unspecified, "single" is the default behavior):
+; - first (pick the first comma-separated value; e.g. "a" in "a, b, c")
+; - last (pick the last comma-separated value; e.g. "c" in "a, b, c")
+; - single (enforce single values; completely ignore multi-valued headers)
+;
+; See also forwarded_ip_filter below for a way to filter out known IP addresses
+; of internal network devices before applying first/last/single settings.
+;
+; When commented out or set to false, only the regular REMOTE_ADDR value will
+; be used for IP detection. REMOTE_ADDR will also be used as the default value
+; if none of the configured headers are populated.
+;
+; If you need to implement more nuanced functionality, you can extend or
+; override the VuFind\Net\UserIpReader class to implement your own logic.
+;
+; You can use a header-modifying browser plugin to determine how your proxy
+; will respond to spoofing attempts.
+;
+; See this wiki page for additional notes and comments:
+; https://vufind.org/wiki/administration:security#proxies_and_ip_authentication
+;
+; The example below, if uncommented, will use X-Real-IP if found, and the
+; rightmost value of X-Forwarded-For otherwise (resorting to REMOTE_ADDR only
+; if no relevant X- headers are found).
+;allow_forwarded_ips = "HTTP_X_REAL_IP:single,HTTP_X_FORWARDED_FOR:last"
+
+; This setting can be used in combination with allow_forwarded_ips to prevent
+; known IP addresses of internal proxies and network devices from being reported
+; as end user IP addresses. You can repeat the setting for each IP address that
+; you wish to exclude. The first/last/single processing parameters used by
+; allow_forwarded_ips will be applied AFTER removing addresses filtered here.
+;forwarded_ip_filter[] = 1.2.3.4
 
 ; Default HTTP settings can be loaded here. These values will be passed to
 ; the \Laminas\Http\Client's setOptions method.