TRUSTED_PROXIES value for typical container + Cloudflare

[audioscavenger]

At https://docs.linuxserver.io/images/docker-lychee/#environment-variables-e it clearly states to not use (*) but instead: Set to the IP or netmask covering your reverse proxy, if running behind one. Set to * to trust all IPs (do not use * if exposed to the internet).

What does that mean? Does that mean use the internal private LAN IP of the docker host? The external public IP of the host? The incoming IP from Cloudflare?
Cloudflare uses 15 IPv4 ranges for those redirects, and they are random https://www.cloudflare.com/ips/

And further, if using those IP/netmask, how does that improve any security? Is it about preventing spoofing? Can you please elaborate?

[d7415]

What does that mean?

That's not our page, so you should probably ask them. That said, it means Laravel will trust certain headers supplied by these IPs, such as X-Forwarded-For. I don't think the risk is especially high for Lychee, but we try to encourage best practice.

Does that mean use the internal private LAN IP of the docker host? The external public IP of the host? The incoming IP from Cloudflare?

Probably the reverse proxy between you and the internet, that in turn is configured to believe CloudFlare and pass these headers on.

Cloudflare uses 15 IPv4 ranges for those redirects, and they are random https://www.cloudflare.com/ips/

As you've found, they are not random. They even provide a list.

And further, if using those IP/netmask, how does that improve any security? Is it about preventing spoofing? Can you please elaborate?

As above.