How to disable or relax the bruteforce protection?

I read through the docs and also found NC20 isn't respecting 'X-Forwarded-For' header from reverse proxy - #12 by Master which seems to be related but for whatever reason, still the ā€œinternalā€ IP is logged and the forward does not seem to work.

The trusted_domains settings looks like this:

  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'the.domain.of.the.server',
    2 => '10.0.9.107',
    3 => '10.0.9.*',  // added a wildcard in case the IP changes, might need class B
  ),

and I added this to look for the header entry from HAProxy

 'forwarded_for_headers' => 
  array (
    0 => 'HTTP_X_FORWARDED_FOR',
  ),

So no luck with this yet. I’ll dig deeper, but if anyone has a working solution for this (HAProxy + Docker Swarm), I am happy to listen…