We use the code above with SSL via pound (client connects to pound via SSL, pound connects to backend via plain HTTP). Pound uses different backends for different tasks. So, the only complete log file is the one provided by pound, which contains as well the correct IP addresses of the clients.
On the backend side everything using ad_conn reports the client ip address as "ad_conn peeraddr" (e.g. request monitor, creation_ip in acs_objects, etc.). Since all but developer traffic (via VLAN) is routed via the reverse proxy, recording the ip address of the proxy is certainly not useful. I would call it rather a bug, seeing always the proxy's ip address, where the code-writer had obviously the intention to report the client IP address. In the parts of OpenACS we are using, we found no place, where having the proxy as the peer address makes sense.
However, I do agree, that in principle one should have two fields, such as peer_addr and client_addr, and that the usages should be changed from "ad_conn peeraddr" to "ad_conn clientaddr". However, the change above is less invasive, and one has actually always both info at hand: one can use still "ns_conn peeraddr" for the bare-bone info.
