Support topics: http://www.phpbb.com/community/viewtopic.php?f=46&t=2122051

When phpbb is behind a reverse proxy, REMOTE_ADDR is the IP address of the proxy and not of board users. This behavior usually manifests itself as that same IP address displayed in ACP logs. However I believe we also have an option to tying sessions to IP addresses or networks, and in the case of everyone having the same IP the security of that option is nullified.

It is currently impossible to tell phpbb to use a value in e.g. X-Forwarded-For header instead of REMOTE_ADDR for the purpose of determining users' IP addresses. We should investigate if just offering the option of using X-Forwarded-For would be enough, or if we would need to support arbitrary headers.

X-Forwarded-For is used by (non-reverse) proxies. Therefore this option should be off by default. It should only be turned on by administrators who are behind a reverse proxy, and we should only take the most recently appended value of that header as the user's IP address (i.e., not follow it all the way).