diff --git a/go/security/guard.go b/go/security/guard.go
index 696b79d69..3c7e3bce3 100644
--- a/go/security/guard.go
+++ b/go/security/guard.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"regexp"
+	"strings"
 
 	"github.com/chrislusf/seaweedfs/go/glog"
 )
@@ -81,12 +82,26 @@ func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w ht
 	}
 }
 
+func GetActualRemoteHost(r *http.Request) (host string, err error) {
+	host = r.Header.Get("HTTP_X_FORWARDED_FOR")
+	if host == "" {
+		host = r.Header.Get("X-FORWARDED-FOR")
+	}
+	if strings.Contains(host, ",") {
+		host = host[0:strings.Index(host, ",")]
+	}
+	if host == "" {
+		host, _, err = net.SplitHostPort(r.RemoteAddr)
+	}
+	return
+}
+
 func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
 	if len(g.whiteList) == 0 {
 		return nil
 	}
 
-	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	host, err := GetActualRemoteHost(r)
 	if err == nil {
 		for _, ip := range g.whiteList {
 
diff --git a/go/weed/weed_server/master_server.go b/go/weed/weed_server/master_server.go
index 3f6b3bc2d..c5d9646c9 100644
--- a/go/weed/weed_server/master_server.go
+++ b/go/weed/weed_server/master_server.go
@@ -113,6 +113,14 @@ func (ms *MasterServer) proxyToLeader(f func(w http.ResponseWriter, r *http.Requ
 			}
 			glog.V(4).Infoln("proxying to leader", ms.Topo.RaftServer.Leader())
 			proxy := httputil.NewSingleHostReverseProxy(targetUrl)
+			director := proxy.Director
+			proxy.Director = func(req *http.Request) {
+				actualHost, err := security.GetActualRemoteHost(req)
+				if err == nil {
+					req.Header.Set(("HTTP_X_FORWARDED_FOR", actualHost)
+				}
+				director(req)
+			}
 			proxy.Transport = util.Transport
 			proxy.ServeHTTP(w, r)
 		} else {