So if I'm understanding this correctly.
When SM receives these web requests they are coming from a load-balancer (or web Gateway) with the "X-Forwarded-For" header?
I could see this. We could then verify that if we do see "X-Forwarded-For" that we only accept that header when coming from a known safe IP. Otherwise client's could write this header's themselves to bypass IP checks. Thankfully we have a list for these kinds of checks already, bypassed IP's.
What specific purpose does proxy-protocol fill that 'X-Forwarded-For' doesn't? Looking at it, seems like it would be quite a bit of work.