Admin Tools is a Joomla extension. As such, it relies on Joomla to report the real IP address of the site's visitor. The visitor's IP address is used by various features. For example, it's what determines whether an IP address is blocked by the Site IP Disallow List or the Auto Blocked IP Addresses features. It's the IP that will be auto-blocked after repeated blocked requests. It's what must match for Administrator Exclusive Allow IP List to allow access to your site's backend. And so on, and so forth.

When a visitor accesses a URL on your server the web server software (Apache, Litespeed, NginX, IIS, …) reads the visitor's IP address from the TCP/IP headers used to communicate the requests and sets the REMOTE_ADDR environment variable. When we ask Joomla to report the visitor's IP address, Joomla reads that environment variable through PHP and reports back its contents.

This works great, unless your site is behind a non-transparent proxy. Examples of that are CDNs (e.g. CloudFlare, BunnyCDN, …), third party services (e.g. Sucuri), TLS terminators (e.g. NginX, HAProxy, …), caching proxies (e.g. Varnish), and load balancers (AWS Elastic Load Balancing, HAProxy, …). We can collectively call them "reverse proxies" since they all operate on the principle of reverse proxying. In this case, the IP address the web server "sees" is the IP address of the reverse proxy, not the actual visitor's IP address. As a result, the REMOTE_ADDR environment variable contains the IP address of the reverse proxy, and that's what Joomla reports.

In this case, all requests appear to come from the IP address(es) of the reverse proxy. You will perceive this as all of the blocked requests coming from the same small number of IP addresses, and you might get automatically blocked even if you didn't do anything on your site at all.

There is, of course, a solution to that. Reverse proxies set aν HTTP header called X-Forwarded-For. This header contains the real IP address of the visitor, plus the IP addresses of any other intermediate reverse proxy before the last one your server sees.

You can tell Joomla to honor this header – in fact, Joomla will use code we originally wrote for Admin Tools to do that but have donated to Joomla a long time ago. Go to Joomla's Global Configuration and set Behind Load Balancer to Yes. If you decide to do that, you should also use the .htaccess Maker setting Restrict access by IP to only allow access to your site by the IP addresses belonging to your reverse proxy.

Another way to handle that is through server configuration. You will most likely need to ask your host to configure their web server so that it parses the X-Forwarded-For HTTP header and sets the visitor's IP address from it. If you are your own host, you can do it yourself.

On Apache this is done by loading the optional Apache module mod_remoteip and using something like this:

RemoteIPInternalProxy 192.168.1.0/24 # Your proxy's subnetRemoteIPHeader X-Forwarded-For

On NginX you can use the following configuration:

set_real_ip_from  192.168.1.0/24; # Your proxy's subnetreal_ip_header    X-Forwarded-For;real_ip_recursive on;

Please note that if you are using the server configuration described above you MUST NOT use Joomla's Restrict access by IP option, or the .htaccess Maker's Restrict access by IP feature. Joomla will only be seeing the real IP address of the visitor; the handling of X-Forwarded-For takes place at the server level, long before Joomla has the chance to run.