Issue
The X-Forwarded-For header, which is documented in the Dev Center article on HTTP Routing is populated for all requests. But the Spring framework will strip this header and use it to configure Tomcat's RemoteIpValve. This is mentioned, very briefly, in the Spring Boot docs under the section Use behind a front-end proxy server.
Resolution
To access the remote IP address, you can disable the server.use-forward-headers property by adding this configuration to your application.properties:
server.use-forward-headers=false
Or if you prefer to leave the Spring configuration with it's defaults, you can access the remote IP address from the underlying Servlet request in your Controller method. For example:
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
request.getRemoteAddr(); // the value from X-Forwarded-For