Anyone using reserve proxy? (Wrong IP in logfile)

Hi Folks,
I would like to run some HTTP(S) sites on my home network.
I want it to be available on the internet, too.
So I looked into reserve proxy, Nginx Proxy Manager.
Well it works… nice kind of magic g
subomain1.domain.tld go redirected to 192.168.0.61 and subdomain2 got redirected to 192.168.0.62.

BUT…
looking on the apache logfiles on .61/.62 they only see the IP for the reserve proxy.
So using CSF or Fail2ban would not block the read IP but only my reserve proxy.

For Apache there seems to be a module I could use the log the real IP.
But what if for any reasons I can not use a module?
Maybe an IoT Device I want to be accessable though the internet? It would only see the reserve proxy IP.

Does anyone knows a reserve proxy that would report the internet IP to the host on my LAN - withouf any mods running on the LAN host?
Maybe soething like pfsense? It just needs to be able run on a little VM.

If you use apache as reverse proxy in virtualmin add these lines to the virtualhost conf:

RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

for nginx I believe it is:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Either LAMP or LEMP stack in Virtualmin has proxy paths GUI options. I think it is nice that it has radio button for Websocket support, maybe the devs could add another radio button to passthrough the real IP. @Joe @Jamie @Ilia

I think it is appropiate to have a button for it since so many docker self-hosted apps require it or benefit from it to log brute force attempts for example. I use it for Portainer, Vaultwarden, Discourse, SearXNG. I think it makes sense in many environments.

I tried the “proxy_set_header” in Nginx, but I still get only the proxy IP in the Apache logs.
Sure I could add the remote IP mod in apache to get the real IP… BUT… Like I said what if I want to use a device that dosent support that? If I run the services here I want to have the real IP accessing it in my logs.

You can tell Webmin to log the real remote IP received from the proxy at Webmin → Webmin Configuration → IP Access Control → Trust remote IP address provided by proxies?

BUT if you are using any kind of IP-based access control, don’t enable this unless all access to your Webmin system is via the proxy.