The Domain Auth plugin uses the request.getClientAddr() method to determine the IP address of the client, which in turn uses both the REMOTE_ADDR variable and the X-FORWARDED-FOR header.
Generally, you cannot rely on the X-FORWARDED-FOR header, because as soon as someone could set it. But you can configure Zope to trust this header from a given set of trusted proxies. Using the list of trusted proxies, the IP address REMOTE_ADDR will be replaced with the next address specified in the X-FORWARDED-FOR header until you can use the trusted addresses. The last IP address found is the new client address. This allows you to group a set of proxies and still be able to trust that you will receive the correct client address to create your roles.
To configure Zope to be an X-FORWARDED-FOR trusted proxy server, set the trusted-proxy configuration parameter in the zope.conf file. If your nginx server is running on the same host, just install it on localhost:
trusted-proxy 127.0.0.1
You specify multiple names by adding multiple entries:
trusted-proxy 127.0.0.1 trusted-proxy loadbalancer.localnet
trusted-proxy accepts both IP addresses and host names.