Nginx Proxy Manager access lists

Hi, I’m trying to configure access lists on NPM to prevent external access to some services I am going to add, but they don’t seem to be working because the IP that Nginx sees for every client is
This is also an issue because the HA ip_ban system also detects the same IP.
If I use WireGuard, the IP which gets recorded is my home network public IP.

From what I read, adding an X-Forwarded For header should do the trick, but I don’t know how to do that, especially for the VPN traffic.

Also, how do I decide if I can enable cache assets, web sockets support and http/2 support depending on the service I’m using? (I’m my case I’d like to configure HA, Bitwarden, UniFi app, Node-RED dashboard and Nginx itself)

HA, WG (add-on) and NPM (add-on) are all hosted on my RPi.

Thanks in advance.