hi there,
this is my first post around here. thanks a lot for your great product!
we are on the way to create a kirby deployment on a google cloud platform (gcp) environment. basically the setup is working and everything is fine.
now we came across an issue being caused i think from the way, the google load balancer the central proxy for all requests: in case an account is being locked, this effectively locks all accounts, since the one ip of the g lb is locked. how do we deal with that?
the structure is like this:
public → google load balancer → nginx:php-fpm (unix-socket)
nginx:php-fpm is located on our container on cloud run, listening on tcp 8080 via expose.
as a sidenote but not important in this context: we provide persistant storage for kirby from a nfs export on a compute engine vm.
now to our issue: since all the requests are coming from the same ip (the g lb), the brute force auth protection locks effectively all ip’s and therefore all accounts. pretty much like a general dos feature. 
i did not yet look all the way into header handling between the http servers, but i am thinking of how kirby is dealing with headers like “x-forwarded-for” and the like. did anyone of you come across this? does kirby evaluate headers to determine the real client-ip? is there any way we can get the real ip into the auth module to have it look at the ip address the request has been proxied for?
sorry if i missed any relevant information. is my point clear? i’ve search a little but didnt find anything specific for the auth module. all the other details around nginx we got resolved.
thanks for your help in advance,
best
seb