SWAG nginx access.log contains docker-IP 172.17.0.1

Hi together,
I am having an issue that also appears in some older posts but those did not provide a solution for me (or I overlooked an important detail).
Only docker + swag are installed on a newly set up raspberry pi.

My issue: The nginx access.log contains the docker-IP 172.17.0.1 if I connect via the domain (xxx .dynv6.net) and this does not allow usage of fail2ban.
It does, however contain the correct LAN-IP 192.168.x.x of my computer if I connect to swag via the IP-address of the raspberry pi (https ://192.168.x.y) instead of the domain.

Based on the posts I read, I tried adding several variations of the following to /swag/nginx/site-confs/default.conf without any change of behavior.

real_ip_header X-Forwarded-For; (or real_ip_header X-Real-IP;)
real_ip_recursive on;
set_real_ip_from 0.0.0.0/0;

Maybe some of you experts can point me in the right direction what I could try to fix the behavior.
Your support is greatly appreciated, thanks in advance.

To have a clean starting point, I re-installed from scratch once again.

My setup:
Raspberry Pi 3B+ with newly installed 2024-07-04-raspios-bookworm-arm64-lite.img

Only the following was done after a clean install:

  1. Update system

sudo apt update && sudo apt upgrade -y

  1. I added the following lines to /etc/network/interfaces to ensure static IPv6 suffix for the access via dyn-dns

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 auto
accept_ra 2
up ip token set ::abcd:abcd:abcd:abcd dev eth0

  1. Install docker

curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $USER

  1. Install SWAG via cli with this setup

sudo docker run
–name=swag
-p 4444:443
-d
–restart unless-stopped
–cap-add=NET_ADMIN
-e PUID=1000
-e PGID=1000
-e TZ=Europe/Berlin
-e URL=xxx .dynv6.net
-e SUBDOMAINS=wildcard
-e DNSPLUGIN=rfc2136
-e VALIDATION=dns
-v /home/pi/appdata/swag:/config
lscr.io/linuxserver/swag

  1. Maintain rfc2136.ini with the correct information for my DNS
  2. Restart the raspberry pi
  3. Access SWAG landing page via domain (https ://xxx.dynv6.net:4444) & LAN-IP (https ://192.168.100.104:4444), both with success
  4. Check access.log, which contains correct IP only for access via LAN-IP

192.168.100.103 - - [04/Aug/2024:21:42:08 +0200] “GET / HTTP/2.0” 200 1345 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6327.218 Safari/537.36”
192.168.100.103 - - [04/Aug/2024:21:42:08 +0200] “GET /favicon.ico HTTP/2.0” 200 1345 “https ://192.168.100.104:4444/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6327.218 Safari/537.36”
172.17.0.1 - - [04/Aug/2024:21:42:54 +0200] “GET / HTTP/2.0” 200 1345 “-” “Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Version/14.6.65 Mobile/QJUU4J Safari/625.36”
172.17.0.1 - - [04/Aug/2024:21:42:54 +0200] “GET /favicon.ico HTTP/2.0” 200 1345 “https ://xxx.dynv6.net:4444/” “Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Version/14.6.65 Mobile/QJUU4J Safari/625.36”