diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
index 77458a1..f1f6b83 100644
--- a/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -3044,13 +3044,13 @@ function ip_address() {
 
   if (!isset($ip_address)) {
     $ip_address = $_SERVER['REMOTE_ADDR'];
-
-    if (variable_get('reverse_proxy', 0)) {
-      $reverse_proxy_header = variable_get('reverse_proxy_header', 'HTTP_X_FORWARDED_FOR');
+    $reverse_proxy_config = config('system.reverse-proxy');
+    if ($reverse_proxy_config->get('enabled')) {
+      $reverse_proxy_header = $reverse_proxy_config->get('header');
       if (!empty($_SERVER[$reverse_proxy_header])) {
         // If an array of known reverse proxy IPs is provided, then trust
         // the XFF header if request really comes from one of them.
-        $reverse_proxy_addresses = variable_get('reverse_proxy_addresses', array());
+        $reverse_proxy_addresses = $reverse_proxy_config->get('addresses');
 
         // Turn XFF header into an array.
         $forwarded = explode(',', $_SERVER[$reverse_proxy_header]);
diff --git a/core/modules/system/config/system.reverse-proxy.yml b/core/modules/system/config/system.reverse-proxy.yml
new file mode 100644
index 0000000..09b8371
--- /dev/null
+++ b/core/modules/system/config/system.reverse-proxy.yml
@@ -0,0 +1,3 @@
+enabled: false
+header: 'HTTP_X_FORWARDED_FOR'
+addresses: []
diff --git a/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php b/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php
index 7668949..2fef93e 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Bootstrap/IpAddressTest.php
@@ -57,15 +57,18 @@ class IpAddressTest extends WebTestBase {
       'Got remote IP address.'
     );
 
+    $reverse_proxy_config = config('system.reverse-proxy');
     // Proxy forwarding on but no proxy addresses defined.
-    variable_set('reverse_proxy', 1);
+    $reverse_proxy_config->set('enabled', TRUE)->save();
     $this->assertTrue(
       ip_address() == $this->remote_ip,
       'Proxy forwarding without trusted proxies got remote IP address.'
     );
 
     // Proxy forwarding on and proxy address not trusted.
-    variable_set('reverse_proxy_addresses', array($this->proxy_ip, $this->proxy2_ip));
+    $reverse_proxy_config
+      ->set('addresses', array($this->proxy_ip, $this->proxy2_ip))
+      ->save();
     drupal_static_reset('ip_address');
     $_SERVER['REMOTE_ADDR'] = $this->untrusted_ip;
     $this->assertTrue(
@@ -92,7 +95,9 @@ class IpAddressTest extends WebTestBase {
     );
 
     // Custom client-IP header.
-    variable_set('reverse_proxy_header', 'HTTP_X_CLUSTER_CLIENT_IP');
+    $reverse_proxy_config
+      ->set('header', 'HTTP_X_CLUSTER_CLIENT_IP')
+      ->save();
     $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip;
     drupal_static_reset('ip_address');
     $this->assertTrue(
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 05459d0..bfd672a 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -2099,6 +2099,20 @@ function system_update_8022() {
   $schema->dropTable('router');
 
   $schema->createTable('router', $tables['router']);
+  
+}
+
+/**
+ * Moves reverse proxy settings from variable to config.
+ *
+ * @ingroup config_upgrade
+ */
+function system_update_8023() {
+  update_variables_to_config('system.reverse-proxy', array(
+    'reverse_proxy' => 'enabled',
+    'reverse_proxy_addresses' => 'addresses',
+    'reverse_proxy_header' => 'header',
+  ));
 }
 
 /**
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 0999b36..faeb1aa 100755
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -398,35 +398,36 @@ ini_set('session.cookie_lifetime', 2000000);
  * malicious client could bypass restrictions by setting the
  * X-Forwarded-For header directly. Therefore, Drupal's proxy
  * configuration requires the IP addresses of all remote proxies to be
- * specified in $conf['reverse_proxy_addresses'] to work correctly.
+ * specified in $conf['system.reverse-proxy']['addresses'] to work correctly.
  *
  * Enable this setting to get Drupal to determine the client IP from
- * the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set).
- * If you are unsure about this setting, do not have a reverse proxy,
+ * the X-Forwarded-For header (or $conf['system.reverse-proxy']['header'] if
+ * set). If you are unsure about this setting, do not have a reverse proxy,
  * or Drupal operates in a shared hosting environment, this setting
  * should remain commented out.
  *
  * In order for this setting to be used you must specify every possible
- * reverse proxy IP address in $conf['reverse_proxy_addresses'].
+ * reverse proxy IP address in $conf['system.reverse-proxy']['addresses'].
  * If a complete list of reverse proxies is not available in your
  * environment (for example, if you use a CDN) you may set the
  * $_SERVER['REMOTE_ADDR'] variable directly in settings.php.
  * Be aware, however, that it is likely that this would allow IP
  * address spoofing unless more advanced precautions are taken.
  */
-# $conf['reverse_proxy'] = TRUE;
+# $conf['system.reverse-proxy']['enabled'] = TRUE;
 
 /**
  * Specify every reverse proxy IP address in your environment.
- * This setting is required if $conf['reverse_proxy'] is TRUE.
+ * This setting is required if $conf['system.reverse-proxy']['enabled'] is
+ * TRUE.
  */
-# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);
+# $conf['system.reverse-proxy']['addresses'] = array('a.b.c.d', ...);
 
 /**
  * Set this value if your proxy server sends the client IP in a header
  * other than X-Forwarded-For.
  */
-# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
+# $conf['system.reverse-proxy']['header'] = 'HTTP_X_CLUSTER_CLIENT_IP';
 
 /**
  * Page caching: