I use Nginx (listen IP x.x.x.x) as frontend and Apache-2.2.4 (listen
IP 127.0.0.1) + mod_security-2.1.1-r1 as backend. OS Gentoo Linux.
Mod_rpaf get "X-Forwarded-For" from Nginx and set REMOTE_ADDR from it
on Apache.
Apache see all requests as real clients IP.
But mod_security don't see this new REMOTE_ADDR. Mod_security see all
requests as from 127.0.0.1 and they can't be filtrable by client IP
conditions.
The same configuration with Nginx, Apache-1.3.37 and
mod_security-1.9.4 works fine.
