varnish-fe handles X-Forwarded-For in a different way when ATS is doing the TLS termination instead of nginx.
a quick check with varnishlog shows the following:
- ReqUnset X-Forwarded-For: USER_IP - ReqHeader X-Forwarded-For: USER_IP, 10.132.0.102
VS
- ReqUnset X-Forwarded-For: USER_IP - ReqHeader X-Forwarded-For: USER_IP, 127.0.0.1
I'm guessing it's related to the fact that nginx performs the connections to varnish using the NIC ip address (10.132.0.102 in the example used) and ATS is using the loopback interface