Improper access logging; wrong client IP

My traefik instance sits behind a vpn connection and is able to retrieve client IP's using proxy protocol. This setup works perfectly fine and the actual client IP's are always correctly forwarded to the downstream.

The problem is that this does not happen in the access log.
It only sometimes puts it in there and for a few following lines just only contain a local IP (of the other side of the VPN connection).

Providing a log really wouldn't help because there isn't a scheme to this. Even after opening a new connection it only sometimes shows the actual client IP. The downstream status code does not influence this behaviour.
For me it's crucial for this to work properly because I use CrowdSec to parse the logs.
Is someone able to replicate this with my setup? I use nginx with a stream directive (proxy protocol enabled) which forwards tcp connections through a VPN tunnel where Traefik receives the connection and handles it.

Thanks a lot in advance

How about you share your Traefik static and dynamic config, and docker-compose.yml if used.

  traefik:
    container_name: traefik
    image: traefik:v3.0.1
    networks:
      - traefik
    ports:
      - "80:80/tcp"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/traefik/:/etc/traefik/
      - /etc/localtime:/etc/localtime
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
    environment:
      - CF_API_EMAIL=xxx
      - CF_DNS_API_TOKEN=xxx
      - CF_API_KEY=xxx

Static config (ipv6 and ipv4 are the tunnel IP's of the other side that forwards tcp connections):

global:
  checkNewVersion: true
  sendAnonymousUsage: false

entryPoints:

  web:
    address: :80
    proxyProtocol:
      trustedIPs:
        - <ipv4>
        - <ipv6>
    http:
      middlewares:
        - gzipcompress@file
      redirections:
        entryPoint:
          to: websecure
          scheme: https

  websecure:
    address: :443
    proxyProtocol:
      trustedIPs:
        - <ipv4>
        - <ipv6>
    http:
      middlewares:
        - hstsheader@file
        - gzipcompress@file
    http3: {}

log: {}

accessLog:
  filePath: /etc/traefik/logs/access.log
  format: json

api:
  insecure: true

ping: {}

providers:

  docker:
    network: traefik
    exposedByDefault: false

  file:
    directory: /etc/traefik/config/

certificatesResolvers:

  tls:
    acme:
      email: xxx
      storage: /etc/traefik/acme.json
      tlsChallenge: {}

  dns:
    acme:
      email: xxx
      storage: /etc/traefik/acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 300

experimental:
  plugins:
    bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.3.2

The dynamic config just contains the usual router, middleware and service stuff and shouldn't have an effect on this.

I will try haproxy instead of nginx to forward the tcp connections. Maybe there's a difference in how they send proxy protocol.