API logger should respect `X-Forwarded-For` header

[bt90]

The log output is currently insufficient to diagnose which client is at fault when Syncthing is running behind a reverse proxy:

INFO: Wrong credentials supplied during API authorization from 127.0.0.1:44002
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:59042
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:52652
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:48306
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:40332
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:39414
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:55012
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:42518
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:44488
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:49030
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:57798
INFO: Wrong credentials supplied during API authorization from 127.0.0.1:56110

syncthing/lib/api/api_auth.go

Lines 31 to 40 in 8edd67a

	func emitLoginAttempt(success bool, username, address string, evLogger events.Logger) {
	evLogger.Log(events.LoginAttempt, map[string]interface{}{
	"success": success,
	"username": username,
	"remoteAddress": address,
	})
	if !success {
	l.Infof("Wrong credentials supplied during API authorization from %s", address)
	}
	}

[boydaihungst]

Yes definitely need this. I also noticed this bug recently after my web UI got brute force hack. I tried to setup fail2ban, but the only IP got from syncthing's log file is 127.0.0.1. ☹️