I suspect this won't get a lot of support from the user base, but is perhaps easy enough to implement... We have placed our LiquidFiles server behind a reverse proxy. I'm not a big fan, but the security team insists. The issue is that the LiquidFiles server never sees the real external IP. Only the IP of the reverse proxy. If we enable Brute Force lockouts, any lockout will lockout the IP of the reverse proxy which will lockout everyone. I know, my problem. Anyway, if possible I'd love to see the ability to lockout a user account rather than an IP address.
It's better to configure the reverse proxy to send the X-Forwarded-For header (which they usually do on default) and configure LiquidFiles to trust the X-Forwarded-For header from the reverse proxy: https://man.liquidfiles.com/system/reverse_proxy.html. That way LiquidFiles will know what the real ip of the client is and Brute Force Detection, GeoIP lookup and other things will work as expected.
