diff --git a/docs/configuration/access-control.md b/docs/configuration/access-control.md
index def8a463e..15cc1a6b7 100644
--- a/docs/configuration/access-control.md
+++ b/docs/configuration/access-control.md
@@ -139,6 +139,9 @@ A list of network addresses, ranges (CIDR notation) or groups can be specified i
 policies when requests originate from different networks. This list can contain both literal definitions of networks
 and [network aliases](#network-aliases).
 
+Network addresses specified will be matched against the first IP in the X-Forwarded-For, and if there is none it will fall back to the IP address of the request. If using Authelia with a reverse proxy, additional configuration
+may be required on the reverse proxy to ensure these headers are present and correct.
+
 Main use cases for this rule option is to adjust the security requirements of a resource based on the location of
 the user. For example lets say a resource should be exposed both on the Internet and from an
 authenticated VPN for instance. Passing a second factor a first time to get access to the VPN and