Mention solutions for both L7 and L4 LBs

gravitational · Dec 6, 2024 · 7461427 · 7461427
1 parent ad16c90
commit 7461427
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/docs/pages/includes/device-trust/prereqs.mdx b/docs/pages/includes/device-trust/prereqs.mdx
@@ -12,3 +12,6 @@
   - `tsh` v15.0.0 or newer. [Install tsh for Linux](../../installation.mdx#linux).
 - To authenticate a Web UI session you need [Teleport Connect](
   ../../connect-your-client/teleport-connect.mdx#installation--upgrade)
+- Correct end-user IP propagation to your Teleport deployment: X-Forwarded-For
+  header (L7 load balancer) or [PROXY protocol](
+  ../../admin-guides/management/security/proxy-protocol.mdx) (L4 load balancer)
diff --git a/docs/pages/includes/device-trust/troubleshooting.mdx b/docs/pages/includes/device-trust/troubleshooting.mdx
@@ -88,10 +88,12 @@ events.
 ### "device web authentication IP mismatch" errors
 
 "IP mismatch" errors in audit logs indicate that the IP checks performed by the
-device web authentication ceremony failed. In this case it's likely that your
-Teleport cluster isn't propagating user IPs correctly. Consider enabling the
-[PROXY protocol](../../admin-guides/management/security/proxy-protocol.mdx) in
-your Teleport deployment.
+device web authentication ceremony failed. In this case it's likely that
+end-user IPs are not propagated correctly to your Teleport deployment.
+
+* L7 load balancer: make sure it propagates the X-Forwarded-For header
+* L4 load balancer: enable [PROXY protocol](
+  ../../admin-guides/management/security/proxy-protocol.mdx)
 
 ### Checking Device Trust authorization status in the web UI