diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index 111a7626c0..0cbb52f618 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -673,17 +673,20 @@ func buildForwardedFor(input interface{}) string {
 func trustHTTPHeaders(input interface{}) bool {
 	conf, ok := input.(config.TemplateConfig)
 	if !ok {
+		glog.Errorf("%v", input)
 		return true
 	}
 
 	return conf.Cfg.RealClientFrom == "http-proxy" ||
-		(conf.Cfg.RealClientFrom == "auto" && !conf.Cfg.UseProxyProtocol &&
-			(conf.PublishService != nil && conf.PublishService.Spec.Type == apiv1.ServiceTypeLoadBalancer))
+		(conf.Cfg.RealClientFrom == "auto" && !conf.Cfg.UseProxyProtocol ||
+			(conf.Cfg.RealClientFrom == "auto" && conf.PublishService != nil &&
+				conf.PublishService.Spec.Type == apiv1.ServiceTypeLoadBalancer))
 }
 
 func trustProxyProtocol(input interface{}) bool {
 	conf, ok := input.(config.TemplateConfig)
 	if !ok {
+		glog.Errorf("%v", input)
 		return true
 	}
 
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index c827d994fc..88413515d2 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -155,8 +155,8 @@ http {
     # Trust HTTP X-Forwarded-* Headers, but use direct values if they're missing.
     map {{ buildForwardedFor $cfg.ForwardedForHeader }} $the_real_ip {
         # Get IP address from X-Forwarded-For HTTP header
-        default          $remote_addr;
-        ''               $realip_remote_addr;
+        default          $realip_remote_addr;
+        ''               $remote_addr;
     }
 
     # trust http_x_forwarded_proto headers correctly indicate ssl offloading