diff --git a/kamailio/websockets-role.cfg b/kamailio/websockets-role.cfg
index 074f60f..df0c3e7 100644
--- a/kamailio/websockets-role.cfg
+++ b/kamailio/websockets-role.cfg
@@ -26,6 +26,7 @@ loadmodule "xhttp.so"
 #!trydef WS_MAX_CONNECTIONS_PER_IP 50
 #!trydef WS_MAX_CONNECTIONS_PER_PROXY 0
 #!trydef WS_ALLOWED_PROXIES "0.0.0.0/0"
+#!trydef WS_CONNECTIONS_FROM_PROXY_ONLY 0
 
 ######## Websocket module ########
 loadmodule "websocket.so"
@@ -41,6 +42,7 @@ modparam("websocket", "sub_protocols", 1)
 kazoo.ws_allowed_proxies = WS_ALLOWED_PROXIES desc "comma separated list of allowed proxies in cidr notation"
 kazoo.ws_max_connection_per_ip = WS_MAX_CONNECTIONS_PER_IP desc "max connections per ip"
 kazoo.ws_max_connection_per_proxy = WS_MAX_CONNECTIONS_PER_PROXY desc "max connections per proxy"
+kazoo.ws_connections_via_proxy_only = WS_CONNECTIONS_FROM_PROXY_ONLY desc "only allow connections via proxy"
 
 event_route[xhttp:request]
 {
@@ -80,7 +82,13 @@ event_route[xhttp:request]
     #!endif
 
     if ($hdr(X-Forwarded-For) == $null) {
-        $var(ws_orig_ip) = $si;
+        if($sel(cfg_get.kazoo.ws_connections_via_proxy_only) == 1) {
+           xlog("L_INFO", "websocket|log|request from $si without X-Forwarded-For Header and only allowed connections are via proxy\n");        
+           xhttp_reply("403", "Forbidden", "", "");
+           exit;
+        } else {
+           $var(ws_orig_ip) = $si;
+        }
     } else {
         xlog("L_INFO", "websocket|log|request X-Forwarded-For $hdr(X-Forwarded-For) from $si\n");
         $var(ws_orig_ip) = $hdr(X-Forwarded-For);