diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 7fa79d97e..4b2681ec1 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -135,10 +135,22 @@ matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_stor
 
 matrix_synapse_container_client_api_port: 8008
 
+# Controls the `x_forwarded` setting for the "Insecure HTTP listener (Client API)".
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_container_client_api_x_forwarded: true
+
 matrix_synapse_container_federation_api_tls_port: 8448
 
+# Controls the `x_forwarded` setting for the "TLS-enabled federation listener".
+# We default this to `false`, because TLS-enabled listeners are likely to be exposed directly (instead of being behind a reverse-proxy).
+matrix_synapse_container_federation_api_tls_x_forwarded: false
+
 matrix_synapse_container_federation_api_plain_port: 8048
 
+# Controls the `x_forwarded` setting for the "Insecure federation listener".
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_container_federation_api_plain_x_forwarded: true
+
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_synapse_container_network: ''
 
@@ -838,6 +850,10 @@ matrix_synapse_manhole_enabled: false
 # Enable support for Synapse workers
 matrix_synapse_workers_enabled: false
 
+# Controls the `x_forwarded` setting for the main `http` listener for Synapse workers.
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_worker_listeners_http_main_x_forwarded: true
+
 # Specifies worker configuration that should be used when workers are enabled.
 #
 # The possible values (as seen in `matrix_synapse_workers_presets`) are:
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 0eb99c29c..50a52d3bb 100644
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -298,7 +298,7 @@ listeners:
     tls: true
     bind_addresses: ['::']
     type: http
-    x_forwarded: false
+    x_forwarded: {{ matrix_synapse_container_federation_api_tls_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
@@ -311,7 +311,7 @@ listeners:
     tls: false
     bind_addresses: ['::']
     type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_client_api_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_http_listener_resource_names|to_json }}
@@ -324,7 +324,7 @@ listeners:
     tls: false
     bind_addresses: ['::']
     type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_federation_api_plain_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
index a8f74b3bc..437b84a36 100644
--- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
@@ -46,7 +46,7 @@ worker_listeners:
 {% if http_resources|length > 0 %}
   - type: http
     bind_addresses: ['::']
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_worker_listeners_http_main_x_forwarded | to_json }}
     port: {{ matrix_synapse_worker_details.port }}
     resources:
       - names: {{ http_resources|to_json }}