diff --git a/Changelog.md b/Changelog.md
index 9c5b33dd..1464dd6c 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -7,6 +7,7 @@ This file only reflects the changes that are made in this image. Please refer to
 - gitlab: upgrade to CE v8.7.0
 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers.
 - OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers.
+- Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter
 
 **8.6.7**
 - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups
diff --git a/README.md b/README.md
index 86c75244..30a56005 100644
--- a/README.md
+++ b/README.md
@@ -819,6 +819,7 @@ Below is the complete list of available options that can be used to customize yo
 - **GITLAB_SSH_HOST**: The ssh host. Defaults to **GITLAB_HOST**.
 - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`.
 - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default.
+- **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults.
 - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default.
 - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default.
 - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt`
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 96722956..04959783 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -50,10 +50,7 @@ production: &base
     # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
     # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
     trusted_proxies:
-      # Examples:
-      #- 192.168.1.0/24
-      #- 192.168.2.1
-      #- 2001:0db8::/32
+      - {{GITLAB_TRUSTED_PROXIES}}
 
     # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
     # user: git
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 1355669b..6ecdc8a0 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -71,6 +71,7 @@ GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true}
 GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false}
 GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true}
 GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-}
+GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-}
 if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/`
   GITLAB_RELATIVE_URL_ROOT=
 fi
diff --git a/assets/runtime/functions b/assets/runtime/functions
index c41e609b..82c2f7d9 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -294,6 +294,15 @@ gitlab_configure_relative_url() {
   fi
 }
 
+gitlab_configure_trusted_proxies() {
+  if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then
+    echo "Configuring gitlab::trusted_proxies..."
+    update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES
+  else
+    exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_timezone() {
   echo "Configuring gitlab::timezone..."
   update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE
@@ -1109,6 +1118,7 @@ configure_gitlab() {
   gitlab_configure_sidekiq
   gitlab_configure_gitlab_workhorse
   gitlab_configure_relative_url
+  gitlab_configure_trusted_proxies
   gitlab_configure_unicorn
   gitlab_configure_timezone
   gitlab_configure_rack_attack