diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.flatpak-cache.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.flatpak-cache.conf
index 88fc910b6c..a6a2e2ee25 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.flatpak-cache.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.flatpak-cache.conf
@@ -1 +1,12 @@
-ProxyRemote "*" "http://worker01.ocp.stg.iad2.fedoraproject.org:31444"
\ No newline at end of file
+ProxyRemote "*" "http://worker01.ocp.stg.iad2.fedoraproject.org:31444"
+
+
+ProxyRequests On
+ProxyVia On
+ProxyPreserveHost On
+RequestHeader set X-Forwarded-Proto "https"
+RequestHeader set X-Forwarded-Port "443"
+
+ProxyPass / http://worker01.ocp.stg.iad2.fedoraproject.org:31444
+ProxyPassReverse / http://worker01.ocp.stg.iad2.fedoraproject.org:31444
+RemoteIPHeader X-Forwarded-For
\ No newline at end of file
diff --git a/roles/openshift-apps/flatpak-cache/templates/squid.conf b/roles/openshift-apps/flatpak-cache/templates/squid.conf
index e4164c2f8e..cdd2fde1b2 100644
--- a/roles/openshift-apps/flatpak-cache/templates/squid.conf
+++ b/roles/openshift-apps/flatpak-cache/templates/squid.conf
@@ -1,5 +1,6 @@
 acl openqa src 10.3.174.21-10.3.174.64
 acl batcave src 10.3.163.35
+acl proxies src 10.128.4.1
 
 acl SSL_ports port 443
 acl Safe_ports port 80 443
@@ -25,6 +26,8 @@ cache deny !cacheDomain
 # And finally deny all other access to this proxy
 http_access deny all
 
+# Trust proxies to have correct X-Forwarded-For
+follow_x_forwarded_for allow proxies
 
 http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/pki/squid/ca/ca.crt tls-key=/etc/pki/squid/key/ca.key tls-dh=prime256v1:/etc/pki/squid/dhparam/dh.pem