I'm reverse proxying with nginx behind Google Cloud (HTTPS) Load Balancer, so I add the X-Forwarded-For header so that the backend can extract the client (browser) IP.

This morning I noticed a 10.x.x.x IP in the logs, how is this possible?


How your logging interprets the header containing multiple IP addresses? If it takes the first IP address instead of the correct one, this may well be address added by someones forward proxy instead of your reverse proxy.

The header and its contents are documented in GCP Setting Up HTTP(S) Load Balancing article:

X-Forwarded-For: <unverified IP(s)>, <immediate client IP>, <global forwarding rule external IP>, <proxies running in GCP> (requests only)

A comma-separated list of IP addresses appended by the intermediaries the request traveled through. If you are running proxies inside GCP that append data to the X-Forwarded-For header, then your software must take into account the existence and number of those proxies. Only the <immediate client IP> and <global forwarding rule external IP> entries are provided by the load balancer. All other entries in the list are passed along without verification.

Just adjust your logging accordingly.