It seems that out-of-the-box Serendipity does not support X-Forwarded-For -header. It means that any proxy in between loses original client information.
Here is my suggested patch to fix the issue:
--- serendipity/include/functions_comments.inc.php.orig 2013-01-25 14:10:03.058973150 +0200
+++ serendipity/include/functions_comments.inc.php 2013-05-14 11:34:35.302389894 +0300
@@ -782,7 +782,13 @@
$title = serendipity_db_escape_string(isset($commentInfo['title']) ? $commentInfo['title'] : '');
$comments = $commentInfo['comment'];
- $ip = serendipity_db_escape_string(isset($commentInfo['ip']) ? $commentInfo['ip'] : $_SERVER['REMOTE_ADDR']);
+ $ip = serendipity_db_escape_string(isset($commentInfo['ip']) ?
+ $commentInfo['ip'] :
+ (
+ isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
+ $_SERVER['HTTP_X_FORWARDED_FOR'] :
+ $_SERVER['REMOTE_ADDR']
+ ));
$commentsFixed = serendipity_db_escape_string($commentInfo['comment']);
$name = serendipity_db_escape_string($commentInfo['name']);
$url = serendipity_db_escape_string($commentInfo['url']);
This works on 1.6.2 and 1.7.0.