Support Real Client IP Logging via X-Forwarded-For Header

[conquestace]

Idea Description

Is your feature request related to a problem? Please describe.
I'm self-hosting Kavita behind a reverse proxy (nginx), and I'm using fail2ban to secure against brute-force login attempts. Currently, Kavita logs authentication attempts with the IP of the internal Docker network (e.g., 172.18.0.1), not the real client IP. This makes it impossible to apply meaningful bans per external user, and only allows banning the proxy/Docker bridge IP.

Describe the solution you'd like
Kavita should support parsing and logging the real client IP from the X-Forwarded-For and/or X-Real-IP headers, if present. This is a common practice for applications behind a reverse proxy, and allows accurate client identification and security integrations (such as fail2ban or other ban/alert systems).

Describe alternatives you've considered

• Relying on the Docker bridge IP works, but it bans all external users at once if one user triggers a ban.
• Exposing Kavita directly is not secure, nor ideal.

Additional context
Other apps (e.g., Gitea, Jellyfin, Nextcloud) offer options to trust reverse proxy headers for client IP logging.
Implementing this feature would benefit all users running Kavita behind a reverse proxy and improve integration with existing security tooling.

Thank you for your hard work on Kavita!

Idea Category

Performance Improvement

Duration of Using Kavita

over a year now

Before submitting

• I've already searched for existing ideas before posting.

[majora2007]

I actually just fixed a bug where the security middleware was not using the forwarding header. I'll have to check about this real-ip header.