This code is used in php frontend for audit purposes:

$ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];

X-Forwarded-For header could be set by many untrusted parties, including remote user agent and remote http proxies. For example, I noticed this error because my squid cache has setting "forwarded_for off" and it sends header exactly as:

X-Forwarded-For: unknown

and I see IP: unknown in all audit logs.

Right solution will be to add some configuration parameter like

$REMOTE_IP_HEADER = "X-Forwarded-For";

, commented by default.

Some administrators prefer to use custom header in complex backend-frontend setups, so it's better to have ability to configure exact header name rather than just "use it? yes/no" setting.