diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 7e20eaa7e20d..b73a9fea3992 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -6,7 +6,7 @@ use = egg:Paste#urlmap
 /: meta
 
 [pipeline:meta]
-pipeline = cors metaapp
+pipeline = cors http_proxy_to_wsgi metaapp
 
 [app:metaapp]
 paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
diff --git a/nova/conf/api.py b/nova/conf/api.py
index 898741c7f59a..5c8a367e8e9b 100644
--- a/nova/conf/api.py
+++ b/nova/conf/api.py
@@ -42,7 +42,11 @@ Determine the strategy to use for authentication.
 """),
     cfg.BoolOpt("use_forwarded_for",
         default=False,
+        deprecated_for_removal=True,
+        deprecated_reason='This feature is duplicate of the HTTPProxyToWSGI '
+                          'middleware in oslo.middleware',
         deprecated_group="DEFAULT",
+        deprecated_since='26.0.0',
         help="""
 When True, the 'X-Forwarded-For' header is treated as the canonical remote
 address. When False (the default), the 'remote_address' header is used.
diff --git a/releasenotes/notes/deprecate-use_forwarded_for-f7b24eaf130782b9.yaml b/releasenotes/notes/deprecate-use_forwarded_for-f7b24eaf130782b9.yaml
new file mode 100644
index 000000000000..4068fedf6a2a
--- /dev/null
+++ b/releasenotes/notes/deprecate-use_forwarded_for-f7b24eaf130782b9.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    The default ``api-paste.ini`` file has been updated and now the Metadata
+    API pipeline includes the ``HTTPProxyToWSGI`` middleware.
+
+deprecations:
+  - |
+    The ``[api] use_forwarded_for`` parameter has been deprecated. Instead of
+    using this parameter, add the ``HTTPProxyToWSGI`` middleware to api
+    pipelines, and ``[oslo_middleware] enable_proxy_headers_parsing = True``
+    to nova.conf.