shlinkio
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎config/autoload/ip-address.global.php‎
Lines changed: 0 additions & 13 deletions b/‎config/autoload/ip-address.global.php‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎module/Core/src/Middleware/ReverseForwardedAddressesMiddlewareDecorator.php‎
Lines changed: 0 additions & 51 deletions b/‎module/Core/src/Middleware/ReverseForwardedAddressesMiddlewareDecorator.php‎
Lines changed: 0 additions & 51 deletions
diff --git a/‎module/Core/test-api/Action/RedirectTest.php‎
Lines changed: 0 additions & 9 deletions b/‎module/Core/test-api/Action/RedirectTest.php‎
Lines changed: 0 additions & 9 deletions
diff --git a/‎module/Core/test/Middleware/ReverseForwardedAddressesMiddlewareDecoratorTest.php‎
Lines changed: 0 additions & 59 deletions b/‎module/Core/test/Middleware/ReverseForwardedAddressesMiddlewareDecoratorTest.php‎
Lines changed: 0 additions & 59 deletions
@@ -9,7 +9,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this
 * *Nothing*
 
 ### Changed
-* *Nothing*
+* [#2522](https://github.com/shlinkio/shlink/issues/2522) Shlink no longer tries to detect trusted proxies automatically, when resolving the visitor's IP address, as this is a potential security issue.
+
+    Instead, if you have more than 1 proxy in front of Shlink, you should provide `TRUSTED_PROXIES` env var, with either a comma-separated list of the IP addresses of your proxies, or a number indicating how many proxies are there in front of Shlink.
 
 ### Deprecated
 * *Nothing*
 
@@ -5,7 +5,6 @@
 use RKA\Middleware\IpAddress;
 use RKA\Middleware\Mezzio\IpAddressFactory;
 use Shlinkio\Shlink\Core\Config\EnvVars;
-use Shlinkio\Shlink\Core\Middleware\ReverseForwardedAddressesMiddlewareDecorator;
 
 use function Shlinkio\Shlink\Core\splitByComma;
 
@@ -43,18 +42,6 @@
             'factories' => [
                 IpAddress::class => IpAddressFactory::class,
             ],
-            'delegators' => [
-                // Make middleware decoration transparent to other parts of the code
-                IpAddress::class => [
-                    fn ($c, $n, callable $callback) =>
-                        // If trusted proxies have been provided, use original middleware verbatim, otherwise decorate
-                        // with workaround
-                        $trustedProxies !== null
-                            ? $callback()
-                            : new ReverseForwardedAddressesMiddlewareDecorator($callback()),
-                ],
-            ],
-
         ],
 
     ];
 
@@ -106,15 +106,6 @@ public static function provideRequestOptions(): iterable
                 'https://example.com/static-ip-address',
             ];
         }
-
-        yield 'rule: IP address in "X-Forwarded-For" together with proxy addresses' => [
-            [
-                RequestOptions::HEADERS => [
-                    'X-Forwarded-For' => '1.2.3.4, 192.168.1.1, 192.168.1.2',
-                ],
-            ],
-            'https://example.com/static-ip-address',
-        ];
     }
 
     /**