First, know that the `X-Forwarded-*` headers are not a standard, published or otherwise.
They are a complete wild-west mess of conflicting behaviors, so it's no wonder it's confusing you.
Use it. You wont regret it!
Every load balancer (hardware, and software, and even all cloud provider load balancers) released since 2014 supports it!
The recommendations ...
The default behavior of ForwardedRequestCustomizer is to use RFC7239 and the Spec defined Forwarded header.
Don't turn it off. Use it. Don't use and/or learn the broken non standard X-Forwarded-* header nonsense, it will only lead to ruin and wasted man hours.
Then use `Forwarded: for="" request header and the HttpServletRequest.getRemoteAddr() to find the remote client address updated.
Note that multiple `Forwarded: for="" can exist per spec.
Each additional hop adds its own entry to the list, resulting in `Forwarded: for="" for="" for="" header.
The left-most `for="" is used by Jetty's ForwardedRequestCustomizer to set the HttpServletRequest.getRemoteAddr() as defined by the RFC7239 spec.
See the test cases for other examples.
- Joakim