diff --git a/.editorconfig b/.editorconfig
old mode 100755
new mode 100644
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
old mode 100755
new mode 100644
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/call_issues_cron.yml b/.github/workflows/call_issues_cron.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml
old mode 100755
new mode 100644
diff --git a/Dockerfile b/Dockerfile
index 85cdbf4..f0d03d0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.22
 
 # set version label
 ARG BUILD_DATE
@@ -12,13 +12,13 @@ LABEL maintainer="aptalca"
 RUN \
   echo "**** install runtime packages ****" && \
   apk add --no-cache \
-    php83-dom \
-    php83-intl \
-    php83-opcache \
-    php83-pdo_mysql \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-tokenizer && \
+    php84-dom \
+    php84-intl \
+    php84-opcache \
+    php84-pdo_mysql \
+    php84-pdo_pgsql \
+    php84-pdo_sqlite \
+    php84-tokenizer && \
   echo "**** configure nginx ****" && \
   echo 'fastcgi_param  PHP_AUTH_USER      $remote_user; # Heimdall user authorization' >> \
     /etc/nginx/fastcgi_params && \
@@ -26,7 +26,11 @@ RUN \
     /etc/nginx/fastcgi_params && \
   echo "**** configure php opcache ****" && \
   echo 'opcache.validate_timestamps=0' >> \
-    /etc/php83/conf.d/00_opcache.ini && \
+    /etc/php84/conf.d/00_opcache.ini && \
+  echo "**** configure php-fpm to pass env vars ****" && \
+  sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \
+  if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \
+  echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \
   echo "**** install heimdall ****" && \
   mkdir -p \
     /heimdall && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index e1fc0ea..eb24171 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.22
 
 # set version label
 ARG BUILD_DATE
@@ -12,13 +12,13 @@ LABEL maintainer="aptalca"
 RUN \
   echo "**** install runtime packages ****" && \
   apk add --no-cache \
-    php83-dom \
-    php83-intl \
-    php83-opcache \
-    php83-pdo_mysql \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-tokenizer && \
+    php84-dom \
+    php84-intl \
+    php84-opcache \
+    php84-pdo_mysql \
+    php84-pdo_pgsql \
+    php84-pdo_sqlite \
+    php84-tokenizer && \
   echo "**** configure nginx ****" && \
   echo 'fastcgi_param  PHP_AUTH_USER      $remote_user; # Heimdall user authorization' >> \
     /etc/nginx/fastcgi_params && \
@@ -26,7 +26,11 @@ RUN \
     /etc/nginx/fastcgi_params && \
   echo "**** configure php opcache ****" && \
   echo 'opcache.validate_timestamps=0' >> \
-    /etc/php83/conf.d/00_opcache.ini && \
+    /etc/php84/conf.d/00_opcache.ini && \
+  echo "**** configure php-fpm to pass env vars ****" && \
+  sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \
+  if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \
+  echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \
   echo "**** install heimdall ****" && \
   mkdir -p \
     /heimdall && \
diff --git a/LICENSE b/LICENSE
old mode 100755
new mode 100644
diff --git a/README.md b/README.md
index 90af355..7861f9d 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,7 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=Etc/UTC
+      - ALLOW_INTERNAL_REQUESTS=false #optional
     volumes:
       - /path/to/heimdall/config:/config
     ports:
@@ -110,6 +111,7 @@ docker run -d \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
+  -e ALLOW_INTERNAL_REQUESTS=false `#optional` \
   -p 80:80 \
   -p 443:443 \
   -v /path/to/heimdall/config:/config \
@@ -128,6 +130,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
+| `-e ALLOW_INTERNAL_REQUESTS=false` | By default, Heimdall blocks requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses. |
 | `-v /config` | Persistent config files |
 
 ## Environment variables from files (Docker secrets)
@@ -292,6 +295,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **17.07.25:** - Rebase to Alpine 3.20.
 * **27.06.24:** - Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings.
 * **07.03.24:** - Enable the opcache and disable file revalidation.
 * **06.03.24:** - Existing users should update: site-confs/default.conf - Cleanup default site conf.
diff --git a/readme-vars.yml b/readme-vars.yml
index c4b8208..3a3438d 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -30,6 +30,9 @@ param_usage_include_ports: true
 param_ports:
   - {external_port: "80", internal_port: "80", port_desc: "http gui"}
   - {external_port: "443", internal_port: "443", port_desc: "https gui"}
+opt_param_usage_include_env: true
+opt_param_env_vars:
+  - {env_var: "ALLOW_INTERNAL_REQUESTS", env_value: "false", desc: "By default, Heimdall blocks requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses."}
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -99,6 +102,7 @@ init_diagram: |
   "heimdall:development" <- Base Images
 # changelog
 changelogs:
+  - {date: "17.07.25:", desc: "Rebase to Alpine 3.22, enable PHP environment passthrough."}
   - {date: "27.06.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
   - {date: "07.03.24:", desc: "Enable the opcache and disable file revalidation."}
   - {date: "06.03.24:", desc: "Existing users should update: site-confs/default.conf - Cleanup default site conf."}