diff --git a/warpgate-common/src/config/mod.rs b/warpgate-common/src/config/mod.rs
index 1b2cc7ecc..ff7c10202 100644
--- a/warpgate-common/src/config/mod.rs
+++ b/warpgate-common/src/config/mod.rs
@@ -139,6 +139,9 @@ pub struct HTTPConfig {
 
     #[serde(default)]
     pub key: String,
+
+    #[serde(default)]
+    pub trust_x_forwarded_for: bool,
 }
 
 impl Default for HTTPConfig {
@@ -148,6 +151,7 @@ impl Default for HTTPConfig {
             listen: _default_http_listen(),
             certificate: "".to_owned(),
             key: "".to_owned(),
+            trust_x_forwarded_for: false,
         }
     }
 }
diff --git a/warpgate-protocol-http/src/logging.rs b/warpgate-protocol-http/src/logging.rs
index a0202c257..b620af412 100644
--- a/warpgate-protocol-http/src/logging.rs
+++ b/warpgate-protocol-http/src/logging.rs
@@ -1,18 +1,30 @@
 use http::{Method, StatusCode, Uri};
 use poem::{FromRequest, Request};
+use poem::web::Data;
 use tracing::*;
+use warpgate_core::Services;
 
 use crate::session_handle::WarpgateServerHandleFromRequest;
 
 pub async fn span_for_request(req: &Request) -> poem::Result<Span> {
     let handle = WarpgateServerHandleFromRequest::from_request_without_body(req).await;
+    let services: Data<&Services> = <_>::from_request_without_body(req).await?;
+    let config = services.config.lock().await;
 
-    let client_ip = req
+    let remote_ip = req
         .remote_addr()
         .as_socket_addr()
         .map(|x| x.ip().to_string())
         .unwrap_or("<unknown>".into());
 
+    let client_ip = match config.store.http.trust_x_forwarded_for {
+        true => req
+            .header("X-Forwarded-For")
+            .map(|x| x.to_string())
+            .unwrap_or(remote_ip),
+        false => remote_ip,
+    };
+
     Ok(match handle {
         Ok(ref handle) => {
             let handle = handle.lock().await;