Is this an answer to Ewoud question? Because I was gonna ask the same.
The unattended controller tries to find a host via REMOTE_IP from Rails stack which also takes X-Forwarded-For headers into consideration.
One thing that looks like a bug is this line:
if @host.nil? && params[:bootstrap]
I think it should be:
if params[:bootstrap]
because the bootstap parameter should take precedence over a host found in the database, which can be actually the HTTP proxy host. For bootstrap there is no MAC so the controller fallsback to IP, if you do this change that could help your use case.
If you confirm, file an issue and we have a nice bugfix 