In general, proxies will add the IPs of the clients inside the X-Forwarded-For
header so the next hop will know where does the petition comes from. However, if an attacker sends a Connection value like Connection: close, X-Forwarded-For
and the first proxy sends the hop-by-hop headers with their values (it sends the special Connection value), then the second value may delete the X-Forward-For header.
At the end, the final App won't know who sent the request and may think that it was the last proxy, and is this scenario an attacker may be able to access resources protected by IP whitelisting (maybe some /admin
?).