One thing to add, never trust this header. Anyone can set this header contents to anything. If setting a real-ip header inside your data-center, use a custom header and drop it at the ingress so people can not falsify their IP. If logging X-Forwarded-For, log in addition to and not instead of the remote_addr otherwise you will get smart-asses like me being logged as "chuck-norris".

Never trust it past your infrastructure. If you have, say, Cloudflare in front of a GCP load balancer you can trust two hops and need to configure your logging accordingly.