diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml b/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
index 4b0e19ff3c..56f4631b69 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
@@ -841,6 +841,10 @@ $ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificat
 
         <section id="proxy-address-forwarding">
             <title>Configure reverse proxy for address forwarding</title>
+            <para>
+                Keycloak needs to know the original request URL as this is needed for example to set the correct issuer in tokens as well as redirects, links, etc.
+                This requires the reverse proxy to pass the original <literal>Host</literal> header.
+            </para>
             <para>
                 Keycloak has some functionalities (for example <link linkend='events'>Events</link> or <link linkend="brute-force-attacks">Brute Force protector</link>)
                 that relies on the fact, that remote address of the HTTP connection is the real IP address of the client machine. This may be a bit tricky when you have setup