Comment 9 for bug 1875299

After configuring nginx and apache, the file index.php has to be placed in the document root directory (/var/www/html). This PHP file outputs the value of the variable $_SERVER['REMOTE_ADDR'] which should always carry the client's real IP address and should always contain trustworthy values when being processed by a webserver.

In order to keep this simple, the following IPv4 addresses will be used:

Server IP: 192.168.1.1
Client IP: 192.168.2.2

Now our client wants to access our site by using the following command:

curl http://192.168.1.1/index.php
Output: 192.168.2.2 (As expected, the real IP address of the requesting client)

Let's assume the client accesses a SEO friendly URL and should be internally redirected to the file index.php. To test this, the following curl command can be used:

curl http://192.168.1.1/seo-friendly-url/
Output: 192.168.2.2 (As expected)

So far so good. Let's assume our client provides the header X-Forwarded-For with an arbitrary IP address:

curl http://192.168.1.1/seo-friendly-url/ -H "X-Forwarded-For: 1.1.1.1"
Output: 1.1.1.1 (Unexpected; should contain the real IP address instead of the Header value)

I hope the supplied configuration files and this short explanation can be of help. I am happy to provide additional information if needed.