diff --git a/proxy.rst b/proxy.rst
index 51eb9fbd..5cba751d 100644
--- a/proxy.rst
+++ b/proxy.rst
@@ -9,7 +9,12 @@ The proxy is installed on each cluster node.
 
 Access the ``HTTP routes`` card inside the ``Settings`` page to see all configured routes.
 Applications usually automatically setup the proxy during the configuration phase.
-Automatic routes can't be modified.
+Automatic routes can't be modified except for the allowed IPs.
+
+Each route can have a list of special attributes visible from the list:
+
+- ``automatic`` for created rules created by the applications
+- ``access restricted`` if access is restricted to a specific network
 
 You can add a custom route by clicking :guilabel:`Create route` button.
 Then enter the following details:
@@ -29,3 +34,24 @@ Then enter the following details:
   the application will be available on a URL like ``https://cluster.nethserver.org/myapp``
 - ``Strip URL path prefix``: when ``Path`` field is not empty, strip the path before routing the request to the target URL
 - ``Request Let's Encrypt certificate`` enable this option to request a valid certificate, please remember :ref:`all requirements <certificate_manager-section>`
+- ``Restrict access from``: restrict access to the route to a specific network, by default the route is accessible from any network.
+  Enter a valid IPv4 address or CIDR network per line.
+
+.. note::
+   The route named ``cluster-admin`` is a special route that is automatically created during the cluster setup.
+   It is used to access the cluster administration interface.
+   Please bear in mind that if you restrict access to this route:
+
+   - you may prevent a new worker from joining the cluster
+   - you may lose access to the cluster configuration if you do not correctly enter your own IP address
+
+
+If you loose access to the cluster administration interface, you can remove the access restriction from the command line.
+Follow these steps:
+
+1. Access the cluster node using SSH with root privileges
+2. Run the following command to remove the access restriction from the ``cluster-admin`` route: ::
+  
+     api-cli run module/traefik1/set-route --data '{"instance": "cluster-admin", "ip_allowlist": []}'
+
+   Replace ``traefik1`` with the correct module identifier, if your cluster has multiple nodes. Traefik identifiers are listed in the ``HTTP routes`` page.
\ No newline at end of file