I am trying to configure the Undertow server in WildFly used by a Keycloak instance.  I would like to restrict access to the "master realm" administration path by IP, and the ip-access-control handler seems like the right way to do it.

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
  <buffer-cache name="default"/>
  <server name="default-server">
  <!-- Added proxy-address-forwarding, and removed redirect-socked -->
  <http-listener name="default" socket-binding="http" proxy-address-forwarding="true"/>
  <host name="default-host" alias="localhost">
  <location name="/" handler="welcome-content"/>
  <filter-ref name="server-header"/>
  <filter-ref name="x-powered-by-header"/>
  <filter-ref name="request-dumper"/>
  <filter-ref name="restrict-admin-console-access"/>
  </host>
  </server>
  <servlet-container name="default">
  <session-cookie http-only="true" secure="true"/>
  <jsp-config/>
  <websockets/>
  </servlet-container>
  <handlers>
  <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
  </handlers>
  <filters>
  <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
  <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
  <filter name="request-dumper" module="io.undertow.core" class-name="io.undertow.server.handlers.RequestDumpingHandler"/>
  <expression-filter module="io.undertow.core" name="restrict-admin-console-access" expression="path-prefix[/auth/admin/master/console] -> ip-access-control[default-allow=false, acl={'our.corporate.ip.address allow'}] />
  </filters>
</subsystem>

This results in _all_ access to /auth/admin/master/console resulting in a 403, no matter what exceptions I add to the ip-access-control ACL.

My suspicion is that while the remoteAddr attribute is being properly with the remote client IP, perhaps that it isn't the IP that actually ends up being evaluated by the handler.

Does anyone have any experience using this rule in the context of a reverse proxy?

Thanks!