Incorrect IP Logging for Failed Login Attempts and Potential Vulnerability to IP Spoofing

[zylxpl]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, ARM64

Installation

Docker

Setup

Other (please mention in the description)

AdGuard Home version

v0.107.48

Action

AHD behind rev proxy. On failed login attempts, the logs show the reverse proxy's IP address instead of the real user's IP address. Successful login attempts, however, are logged with the correct real user IP.

Expected result

If the reverse proxy is trusted, the logs should always display the real user IP address, retrieved for example from the XFF header.

Actual result

Failed login attempts are logged with the reverse proxy's IP address, which is not useful for auditing purposes. In contrast, successful login attempts are logged with the correct user IP address even for untrusted proxies - this might be vulnerable to IP spoofing attacks, where malicious actors could forge the X-Forwarded-For header to hide their identity.

Additional information and/or screenshots