If a request goes through a proxy server, the IP address of the original client gets put into the X-Forwarded-For header, and the IP address in the request gets updated to the IP of the proxy server. The IP Identity filter checked for an X-Forwarded-For header, and so does the IP User filter but only when populating the X-PP-User header. Unfortunately, we aren't taking it into consideration when populating the X-PP-Groups header.
IP User filter docs:
- The X-PP-Groups header will be populated with the configured group header containing a CIDR that matches the X-Forwarded-For header if it's present and the source IP address of the request otherwise.