2 files changed, 22 insertions, 2 deletions

diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index e158f2a4e..4f45554cb 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -34,6 +34,26 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co
 
 > ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
 
+### Authentik Proxy Provider
+
+If you wish to use external authentication with [Authentik](https://goauthentik.io/),
+you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header.
+You can do so with the following expression:
+
+```python
+return {
+    "ak_proxy": {
+        "user_attributes": {
+            "additionalHeaders": {
+                "X-WebAuth-User": request.user.username,
+            }
+        }
+    }
+}
+```
+
+See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
+
 ## No Authentication
 
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 356d5bc0d..648f11a74 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -683,10 +683,10 @@ function checkTrustedIP(): bool {
 	if ($trusted != 0 && is_string($trusted)) {
 		$trusted = preg_split('/\s+/', $trusted, -1, PREG_SPLIT_NO_EMPTY);
 	}
-	if (empty($trusted)) {
+	if (!is_array($trusted) || empty($trusted)) {
 		$trusted = FreshRSS_Context::$system_conf->trusted_sources;
 	}
-	foreach (FreshRSS_Context::$system_conf->trusted_sources as $cidr) {
+	foreach ($trusted as $cidr) {
 		if (checkCIDR($remoteIp, $cidr)) {
 			return true;
 		}