diff --git a/miniserv.pl b/miniserv.pl
index 5bf7914f7..9868fcac0 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -1388,12 +1388,19 @@ while(1) {
 		&http_error(400, "Bad Header $headline");
 		}
 	}
-if ($header{'x-forwarded-for'}) {
-	$loghost = $header{'x-forwarded-for'};
+
+# If a remote IP is given in a header (such as via a proxy), only use it
+# for logging unless trust_real_ip is set
+local $headerhost = $header{'x-forwarded-for'} ||
+		    $header{'x-real-ip'};
+if ($config{'trust_real_ip'}) {
+	$acpthost = $headerhost || $acpthost;
+	$loghost = $acpthost;
 	}
-elsif ($header{'x-real-ip'}) {
-	$loghost = $header{'x-real-ip'};
+else {
+	$loghost = $headerhost || $loghost;
 	}
+
 if (defined($header{'host'})) {
 	if ($header{'host'} =~ /^\[(.+)\]:([0-9]+)$/) {
 		($host, $port) = ($1, $2);
diff --git a/webmin/change_access.cgi b/webmin/change_access.cgi
index aefd21d3d..f0d9fe5ac 100755
--- a/webmin/change_access.cgi
+++ b/webmin/change_access.cgi
@@ -38,6 +38,7 @@ if ($in{"access"} == 1) { $miniserv{"allow"} = join(' ', @hosts); }
 elsif ($in{"access"} == 2) { $miniserv{"deny"} = join(' ', @hosts); }
 $miniserv{'libwrap'} = $in{'libwrap'};
 $miniserv{'alwaysresolve'} = $in{'alwaysresolve'};
+$miniserv{'trust_real_ip'} = $in{'trust'};
 &put_miniserv_config(\%miniserv);
 &unlock_file($ENV{'MINISERV_CONFIG'});
 &show_restart_page();
diff --git a/webmin/edit_access.cgi b/webmin/edit_access.cgi
index 4b692bc2b..d801297e4 100755
--- a/webmin/edit_access.cgi
+++ b/webmin/edit_access.cgi
@@ -27,6 +27,9 @@ print &ui_table_row($text{'access_ip'},
 print &ui_table_row($text{'access_always'},
 	&ui_yesno_radio("alwaysresolve", int($miniserv{'alwaysresolve'})));
 
+print &ui_table_row($text{'access_trust'},
+	&ui_yesno_radio("trust", int($miniserv{'trust_real_ip'})));
+
 eval "use Authen::Libwrap qw(hosts_ctl STRING_UNKNOWN)";
 if (!$@) {
 	print &ui_table_row($text{'access_libwrap'},