ProxyPeerAddressHandler:62 sets the source address to an InetSocketAddress for which `getAddress()` returns `null`. The resolved IP is only set as hostname in the InetSocketAddress.
The IPAddressAccessControlHandler then consumes the source address on line 102 and uses the address retrieved via `getAddress()` for ACL matching. Since `getAddress()` returns null now, the request is rejected.
This applies to every request with an X-Forwarded-For header.

So the two handlers are clearly incompatible at the moment but I am unsure of where to fix this incompatibility.