diff --git a/.editorconfig b/.editorconfig
old mode 100755
new mode 100644
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
old mode 100755
new mode 100644
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml
old mode 100755
new mode 100644
diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/call_issue_pr_tracker.yml b/.github/workflows/call_issue_pr_tracker.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/call_issues_cron.yml b/.github/workflows/call_issues_cron.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml
old mode 100755
new mode 100644
diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml
old mode 100755
new mode 100644
diff --git a/Dockerfile b/Dockerfile
index 380fdc0..61e0ca6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:3.22
 
 # set version label
 ARG BUILD_DATE
@@ -12,13 +12,13 @@ LABEL maintainer="aptalca"
 RUN \
   echo "**** install runtime packages ****" && \
   apk add --no-cache \
-    php83-dom \
-    php83-intl \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-pdo_mysql \
-    php83-opcache \
-    php83-tokenizer && \
+    php84-dom \
+    php84-intl \
+    php84-opcache \
+    php84-pdo_mysql \
+    php84-pdo_pgsql \
+    php84-pdo_sqlite \
+    php84-tokenizer && \
   echo "**** configure nginx ****" && \
   echo 'fastcgi_param  PHP_AUTH_USER      $remote_user; # Heimdall user authorization' >> \
     /etc/nginx/fastcgi_params && \
@@ -26,7 +26,11 @@ RUN \
     /etc/nginx/fastcgi_params && \
   echo "**** configure php opcache ****" && \
   echo 'opcache.validate_timestamps=0' >> \
-    /etc/php83/conf.d/00_opcache.ini && \
+    /etc/php84/conf.d/00_opcache.ini && \
+  echo "**** configure php-fpm to pass env vars ****" && \
+  sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \
+  if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \
+  echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \
   echo "**** install heimdall ****" && \
   mkdir -p \
     /heimdall && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index bcc373a..360f074 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine-nginx:arm64v8-3.22
 
 # set version label
 ARG BUILD_DATE
@@ -12,13 +12,13 @@ LABEL maintainer="aptalca"
 RUN \
   echo "**** install runtime packages ****" && \
   apk add --no-cache \
-    php83-dom \
-    php83-intl \
-    php83-pdo_pgsql \
-    php83-pdo_sqlite \
-    php83-pdo_mysql \
-    php83-opcache \
-    php83-tokenizer && \
+    php84-dom \
+    php84-intl \
+    php84-opcache \
+    php84-pdo_mysql \
+    php84-pdo_pgsql \
+    php84-pdo_sqlite \
+    php84-tokenizer && \
   echo "**** configure nginx ****" && \
   echo 'fastcgi_param  PHP_AUTH_USER      $remote_user; # Heimdall user authorization' >> \
     /etc/nginx/fastcgi_params && \
@@ -26,7 +26,11 @@ RUN \
     /etc/nginx/fastcgi_params && \
   echo "**** configure php opcache ****" && \
   echo 'opcache.validate_timestamps=0' >> \
-    /etc/php83/conf.d/00_opcache.ini && \
+    /etc/php84/conf.d/00_opcache.ini && \
+  echo "**** configure php-fpm to pass env vars ****" && \
+  sed -E -i 's/^;?clear_env ?=.*$/clear_env = no/g' /etc/php84/php-fpm.d/www.conf && \
+  if ! grep -qxF 'clear_env = no' /etc/php84/php-fpm.d/www.conf; then echo 'clear_env = no' >> /etc/php84/php-fpm.d/www.conf; fi && \
+  echo "env[PATH] = /usr/local/bin:/usr/bin:/bin" >> /etc/php84/php-fpm.conf && \
   echo "**** install heimdall ****" && \
   mkdir -p \
     /heimdall && \
diff --git a/LICENSE b/LICENSE
old mode 100755
new mode 100644
diff --git a/README.md b/README.md
index feda330..d8aa8ce 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,7 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=Etc/UTC
+      - ALLOW_INTERNAL_REQUESTS=false #optional
     volumes:
       - /path/to/heimdall/config:/config
     ports:
@@ -110,6 +111,7 @@ docker run -d \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Etc/UTC \
+  -e ALLOW_INTERNAL_REQUESTS=false `#optional` \
   -p 80:80 \
   -p 443:443 \
   -v /path/to/heimdall/config:/config \
@@ -128,6 +130,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e PUID=1000` | for UserID - see below for explanation |
 | `-e PGID=1000` | for GroupID - see below for explanation |
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
+| `-e ALLOW_INTERNAL_REQUESTS=false` | By default, Heimdall blocks lookup requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses. |
 | `-v /config` | Persistent config files |
 
 ## Environment variables from files (Docker secrets)
@@ -292,6 +295,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **20.07.25:** - Rebase to Alpine 3.22, enable PHP environment passthrough.
 * **27.06.24:** - Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings.
 * **07.03.24:** - Enable the opcache and disable file revalidation.
 * **06.03.24:** - Existing users should update: site-confs/default.conf - Cleanup default site conf.
diff --git a/readme-vars.yml b/readme-vars.yml
index deae388..2bbcbfe 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -31,6 +31,9 @@ param_usage_include_ports: true
 param_ports:
   - {external_port: "80", internal_port: "80", port_desc: "http gui"}
   - {external_port: "443", internal_port: "443", port_desc: "https gui"}
+opt_param_usage_include_env: true
+opt_param_env_vars:
+  - {env_var: "ALLOW_INTERNAL_REQUESTS", env_value: "false", desc: "By default, Heimdall blocks lookup requests to private or reserved IP addresses, if your instance is not exposed to the internet, or is behind some level of authentication, you can set this to `true` to allow requests to private IP addresses."}
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -100,6 +103,7 @@ init_diagram: |
   "heimdall:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "20.07.25:", desc: "Rebase to Alpine 3.22, enable PHP environment passthrough."}
   - {date: "27.06.24:", desc: "Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings."}
   - {date: "07.03.24:", desc: "Enable the opcache and disable file revalidation."}
   - {date: "06.03.24:", desc: "Existing users should update: site-confs/default.conf - Cleanup default site conf."}