diff --git a/tequilapi/http_api_server.go b/tequilapi/http_api_server.go
index 9e8b774536..b566db09ee 100644
--- a/tequilapi/http_api_server.go
+++ b/tequilapi/http_api_server.go
@@ -80,6 +80,10 @@ func NewServer(
 		g.Use(middlewares.ApplyMiddlewareTokenAuth(authenticator))
 	}
 
+	// Set to protect localhost-only endpoints due to use of nodeUI proxy
+	// With this set, context.ClientIP() will return only IP set by trusted proxy, not by a client!
+	g.SetTrustedProxies([]string{"127.0.0.1"})
+
 	for _, h := range handlers {
 		err := h(g)
 		if err != nil {
diff --git a/tequilapi/middlewares/http_middlewares.go b/tequilapi/middlewares/http_middlewares.go
index e26c62c5c5..10620bd5ed 100644
--- a/tequilapi/middlewares/http_middlewares.go
+++ b/tequilapi/middlewares/http_middlewares.go
@@ -64,13 +64,13 @@ func NewHostFilter() func(*gin.Context) {
 
 // NewLocalhostOnlyFilter returns instance of middleware allowing only requests
 // with local client IP.
-// Don't forget to Engine.SetTrustedProxies() if reverse proxy is used.
 func NewLocalhostOnlyFilter() func(*gin.Context) {
 	return func(c *gin.Context) {
 
 		// ClientIP() parses the headers defined in Engine.RemoteIPHeaders if there is
-		clientIP := c.ClientIP()
-		if net.ParseIP(clientIP).IsLoopback() {
+		// so it handles clients behind proxy
+		isLocal := net.ParseIP(c.ClientIP()).IsLoopback()
+		if isLocal {
 			return
 		}