1 files changed, 11 insertions, 1 deletions

diff --git a/docs/en/admins/09_AccessControl.md b/docs/en/admins/09_AccessControl.md
index 8ee193cea..4bd4dc8b5 100644
--- a/docs/en/admins/09_AccessControl.md
+++ b/docs/en/admins/09_AccessControl.md
@@ -15,13 +15,23 @@ You may also choose to use HTTP Authentication provided by your web server.[^1]
 
 If you choose to use this option, create a `./p/i/.htaccess` file with a matching `.htpasswd` file.
 
-You can also use any authentication backend as long as your web server exposes the authenticated user through the `REMOTE_USER` variable.
+You can also use any authentication backend as long as your web server exposes the authenticated user through the `Remote-User` variable.
 
 By default, new users allowed by HTTP Basic Auth will automatically be created in FreshRSS the first time they log in.
 You can disable auto-registration of new users by setting `http_auth_auto_register` to `false` in the configuration file.
 When using auto-registration, you can optionally use the `http_auth_auto_register_email_field` to specify the name of a web server
 variable containing the email address of the authenticated user (e.g. `REMOTE_USER_EMAIL`).
 
+## External Authentication
+
+You may also use the `Remote-User` or `X-WebAuth-User` header to integrate with a your reverse-proxy’s authentication.
+
+To enable this feature, you need to add the IP range (in CIDR notation) of your trusted proxy in the `trusted_sources` configuration option.
+To allow only one IPv4, you can use a `/32` like this: `trusted_sources => [ '192.168.1.10/32' ]`.
+Likewise to allow only one IPv6, you can use a `/128` like this: `trusted_sources => [ '::1/128' ]`.
+
+WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
+
 ## No Authentication
 
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.