diff --git a/src/api/client/account.rs b/src/api/client/account.rs
index 72830f9d4..dc384c4cf 100644
--- a/src/api/client/account.rs
+++ b/src/api/client/account.rs
@@ -1,5 +1,6 @@
 use std::fmt::Write;
 
+use axum_client_ip::InsecureClientIp;
 use conduit::debug_info;
 use register::RegistrationKind;
 use ruma::{
@@ -39,8 +40,9 @@ const RANDOM_USER_ID_LENGTH: usize = 10;
 ///
 /// Note: This will not reserve the username, so the username might become
 /// invalid when trying to register
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn get_register_available_route(
-	body: Ruma<get_username_availability::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// Validate user id
 	let user_id = UserId::parse_with_server_name(body.username.to_lowercase(), services().globals.server_name())
@@ -87,7 +89,10 @@ pub(crate) async fn get_register_available_route(
 /// - If `inhibit_login` is false: Creates a device and returns device id and
 ///   access_token
 #[allow(clippy::doc_markdown)]
-pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<register::v3::Response> {
+#[tracing::instrument(skip_all, fields(%client_ip))]
+pub(crate) async fn register_route(
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<register::v3::Request>,
+) -> Result<register::v3::Response> {
 	if !services().globals.allow_registration() && body.appservice_info.is_none() {
 		info!(
 			"Registration disabled and request not from known appservice, rejecting registration attempt for username \
@@ -104,8 +109,8 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 			|| (services().globals.allow_registration() && services().globals.config.registration_token.is_some()))
 	{
 		info!(
-			"Guest registration disabled / registration enabled with token configured, rejecting guest registration, \
-			 initial device name: {:?}",
+			"Guest registration disabled / registration enabled with token configured, rejecting guest registration \
+			 attempt, initial device name: {:?}",
 			body.initial_device_display_name
 		);
 		return Err(Error::BadRequest(
@@ -297,14 +302,14 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 		services()
 			.admin
 			.send_message(RoomMessageEventContent::notice_plain(format!(
-				"New user \"{user_id}\" registered on this server."
+				"New user \"{user_id}\" registered on this server from IP {client_ip}."
 			)))
 			.await;
 	}
 
 	// log in conduit admin channel if a guest registered
 	if body.appservice_info.is_none() && is_guest && services().globals.log_guest_registrations() {
-		info!("New guest user \"{user_id}\" registered on this server.");
+		info!("New guest user \"{user_id}\" registered on this server from IP.");
 
 		if let Some(device_display_name) = &body.initial_device_display_name {
 			if body
@@ -316,14 +321,15 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 					.admin
 					.send_message(RoomMessageEventContent::notice_plain(format!(
 						"Guest user \"{user_id}\" with device display name `{device_display_name}` registered on this \
-						 server."
+						 server from IP {client_ip}."
 					)))
 					.await;
 			} else {
 				services()
 					.admin
 					.send_message(RoomMessageEventContent::notice_plain(format!(
-						"Guest user \"{user_id}\" with no device display name registered on this server.",
+						"Guest user \"{user_id}\" with no device display name registered on this server from IP \
+						 {client_ip}.",
 					)))
 					.await;
 			}
@@ -331,7 +337,8 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 			services()
 				.admin
 				.send_message(RoomMessageEventContent::notice_plain(format!(
-					"Guest user \"{user_id}\" with no device display name registered on this server.",
+					"Guest user \"{user_id}\" with no device display name registered on this server from IP \
+					 {client_ip}.",
 				)))
 				.await;
 		}
@@ -352,7 +359,7 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 					.make_user_admin(&user_id, displayname)
 					.await?;
 
-				warn!("Granting {} admin privileges as the first user", user_id);
+				warn!("Granting {user_id} admin privileges as the first user");
 			}
 		}
 	}
@@ -416,8 +423,9 @@ pub(crate) async fn register_route(body: Ruma<register::v3::Request>) -> Result<
 ///   last seen ts)
 /// - Forgets to-device events
 /// - Triggers device list updates
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn change_password_route(
-	body: Ruma<change_password::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 	let sender_device = body.sender_device.as_ref().expect("user is authenticated");
@@ -466,7 +474,7 @@ pub(crate) async fn change_password_route(
 		}
 	}
 
-	info!("User {} changed their password.", sender_user);
+	info!("User {sender_user} changed their password.");
 	services()
 		.admin
 		.send_message(RoomMessageEventContent::notice_plain(format!(
@@ -504,7 +512,10 @@ pub(crate) async fn whoami_route(body: Ruma<whoami::v3::Request>) -> Result<whoa
 /// - Forgets all to-device events
 /// - Triggers device list updates
 /// - Removes ability to log in again
-pub(crate) async fn deactivate_route(body: Ruma<deactivate::v3::Request>) -> Result<deactivate::v3::Response> {
+#[tracing::instrument(skip_all, fields(%client_ip))]
+pub(crate) async fn deactivate_route(
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<deactivate::v3::Request>,
+) -> Result<deactivate::v3::Response> {
 	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 	let sender_device = body.sender_device.as_ref().expect("user is authenticated");
 
@@ -542,7 +553,7 @@ pub(crate) async fn deactivate_route(body: Ruma<deactivate::v3::Request>) -> Res
 	// Remove devices and mark account as deactivated
 	services().users.deactivate_account(sender_user)?;
 
-	info!("User {} deactivated their account.", sender_user);
+	info!("User {sender_user} deactivated their account.");
 	services()
 		.admin
 		.send_message(RoomMessageEventContent::notice_plain(format!(
diff --git a/src/api/client/directory.rs b/src/api/client/directory.rs
index ef475a680..20f0ccca9 100644
--- a/src/api/client/directory.rs
+++ b/src/api/client/directory.rs
@@ -1,3 +1,4 @@
+use axum_client_ip::InsecureClientIp;
 use ruma::{
 	api::{
 		client::{
@@ -27,8 +28,9 @@ use crate::{service::server_is_ours, services, Error, Result, Ruma};
 /// Lists the public rooms on this server.
 ///
 /// - Rooms are ordered by the number of joined members
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn get_public_rooms_filtered_route(
-	body: Ruma<get_public_rooms_filtered::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms_filtered::v3::Request>,
 ) -> Result<get_public_rooms_filtered::v3::Response> {
 	if let Some(server) = &body.server {
 		if services()
@@ -52,8 +54,8 @@ pub(crate) async fn get_public_rooms_filtered_route(
 	)
 	.await
 	.map_err(|e| {
-		warn!("Failed to return our /publicRooms: {e}");
-		Error::BadRequest(ErrorKind::Unknown, "Failed to return this server's public room list.")
+		warn!(?body.server, "Failed to return /publicRooms: {e}");
+		Error::BadRequest(ErrorKind::Unknown, "Failed to return the requested server's public room list.")
 	})?;
 
 	Ok(response)
@@ -64,8 +66,9 @@ pub(crate) async fn get_public_rooms_filtered_route(
 /// Lists the public rooms on this server.
 ///
 /// - Rooms are ordered by the number of joined members
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn get_public_rooms_route(
-	body: Ruma<get_public_rooms::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms::v3::Request>,
 ) -> Result<get_public_rooms::v3::Response> {
 	if let Some(server) = &body.server {
 		if services()
@@ -89,8 +92,8 @@ pub(crate) async fn get_public_rooms_route(
 	)
 	.await
 	.map_err(|e| {
-		warn!("Failed to return our /publicRooms: {e}");
-		Error::BadRequest(ErrorKind::Unknown, "Failed to return this server's public room list.")
+		warn!(?body.server, "Failed to return /publicRooms: {e}");
+		Error::BadRequest(ErrorKind::Unknown, "Failed to return the requested server's public room list.")
 	})?;
 
 	Ok(get_public_rooms::v3::Response {
@@ -106,8 +109,9 @@ pub(crate) async fn get_public_rooms_route(
 /// Sets the visibility of a given room in the room directory.
 ///
 /// - TODO: Access control checks
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn set_room_visibility_route(
-	body: Ruma<set_room_visibility::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<set_room_visibility::v3::Request>,
 ) -> Result<set_room_visibility::v3::Response> {
 	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
diff --git a/src/api/client/membership.rs b/src/api/client/membership.rs
index ad63d8963..79ea50bd1 100644
--- a/src/api/client/membership.rs
+++ b/src/api/client/membership.rs
@@ -5,6 +5,7 @@ use std::{
 	time::{Duration, Instant},
 };
 
+use axum_client_ip::InsecureClientIp;
 use ruma::{
 	api::{
 		client::{
@@ -141,8 +142,9 @@ async fn banned_room_check(user_id: &UserId, room_id: Option<&RoomId>, server_na
 ///   rules locally
 /// - If the server does not know about the room: asks other servers over
 ///   federation
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn join_room_by_id_route(
-	body: Ruma<join_room_by_id::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<join_room_by_id::v3::Request>,
 ) -> Result<join_room_by_id::v3::Response> {
 	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
@@ -193,8 +195,9 @@ pub(crate) async fn join_room_by_id_route(
 /// - If the server does not know about the room: use the server name query
 ///   param if specified. if not specified, asks other servers over federation
 ///   via room alias server name and room ID server name
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn join_room_by_id_or_alias_route(
-	body: Ruma<join_room_by_id_or_alias::v3::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<join_room_by_id_or_alias::v3::Request>,
 ) -> Result<join_room_by_id_or_alias::v3::Response> {
 	let sender_user = body.sender_user.as_deref().expect("user is authenticated");
 	let body = body.body;
@@ -295,7 +298,10 @@ pub(crate) async fn leave_room_route(body: Ruma<leave_room::v3::Request>) -> Res
 /// # `POST /_matrix/client/r0/rooms/{roomId}/invite`
 ///
 /// Tries to send an invite event into the room.
-pub(crate) async fn invite_user_route(body: Ruma<invite_user::v3::Request>) -> Result<invite_user::v3::Response> {
+#[tracing::instrument(skip_all, fields(%client_ip))]
+pub(crate) async fn invite_user_route(
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<invite_user::v3::Request>,
+) -> Result<invite_user::v3::Response> {
 	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
 
 	if !services().users.is_admin(sender_user)? && services().globals.block_non_admin_invites() {
diff --git a/src/api/server/invite.rs b/src/api/server/invite.rs
index 9ebc60ee4..1b256b4a2 100644
--- a/src/api/server/invite.rs
+++ b/src/api/server/invite.rs
@@ -1,3 +1,4 @@
+use axum_client_ip::InsecureClientIp;
 use ruma::{
 	api::{client::error::ErrorKind, federation::membership::create_invite},
 	events::room::member::{MembershipState, RoomMemberEventContent},
@@ -16,7 +17,10 @@ use crate::{
 /// # `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}`
 ///
 /// Invites a remote user to a room.
-pub(crate) async fn create_invite_route(body: Ruma<create_invite::v2::Request>) -> Result<create_invite::v2::Response> {
+#[tracing::instrument(skip_all, fields(%client_ip))]
+pub(crate) async fn create_invite_route(
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<create_invite::v2::Request>,
+) -> Result<create_invite::v2::Response> {
 	let origin = body.origin.as_ref().expect("server is authenticated");
 
 	// ACL check origin
diff --git a/src/api/server/publicrooms.rs b/src/api/server/publicrooms.rs
index 5a91f018e..6b5010e52 100644
--- a/src/api/server/publicrooms.rs
+++ b/src/api/server/publicrooms.rs
@@ -1,3 +1,4 @@
+use axum_client_ip::InsecureClientIp;
 use ruma::{
 	api::{
 		client::error::ErrorKind,
@@ -11,8 +12,9 @@ use crate::{services, Error, Result, Ruma};
 /// # `POST /_matrix/federation/v1/publicRooms`
 ///
 /// Lists the public rooms on this server.
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn get_public_rooms_filtered_route(
-	body: Ruma<get_public_rooms_filtered::v1::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms_filtered::v1::Request>,
 ) -> Result<get_public_rooms_filtered::v1::Response> {
 	if !services()
 		.globals
@@ -42,8 +44,9 @@ pub(crate) async fn get_public_rooms_filtered_route(
 /// # `GET /_matrix/federation/v1/publicRooms`
 ///
 /// Lists the public rooms on this server.
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn get_public_rooms_route(
-	body: Ruma<get_public_rooms::v1::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<get_public_rooms::v1::Request>,
 ) -> Result<get_public_rooms::v1::Response> {
 	if !services()
 		.globals
diff --git a/src/api/server/send.rs b/src/api/server/send.rs
index 592eb4f94..e2413a4ab 100644
--- a/src/api/server/send.rs
+++ b/src/api/server/send.rs
@@ -1,5 +1,6 @@
 use std::{collections::BTreeMap, sync::Arc, time::Instant};
 
+use axum_client_ip::InsecureClientIp;
 use conduit::debug_warn;
 use ruma::{
 	api::{
@@ -25,8 +26,9 @@ use crate::{
 /// # `PUT /_matrix/federation/v1/send/{txnId}`
 ///
 /// Push EDUs and PDUs to this server.
+#[tracing::instrument(skip_all, fields(%client_ip))]
 pub(crate) async fn send_transaction_message_route(
-	body: Ruma<send_transaction_message::v1::Request>,
+	InsecureClientIp(client_ip): InsecureClientIp, body: Ruma<send_transaction_message::v1::Request>,
 ) -> Result<send_transaction_message::v1::Response> {
 	let origin = body.origin.as_ref().expect("server is authenticated");
 
diff --git a/src/core/utils/mod.rs b/src/core/utils/mod.rs
index f3a45e47c..9ffbbbd03 100644
--- a/src/core/utils/mod.rs
+++ b/src/core/utils/mod.rs
@@ -7,8 +7,7 @@ pub mod json;
 pub mod sys;
 
 use std::{
-	cmp,
-	cmp::Ordering,
+	cmp::{self, Ordering},
 	time::{SystemTime, UNIX_EPOCH},
 };
 
diff --git a/src/router/layers.rs b/src/router/layers.rs
index b358a3e63..3c7a5387b 100644
--- a/src/router/layers.rs
+++ b/src/router/layers.rs
@@ -37,7 +37,6 @@ pub(crate) fn build(server: &Arc<Server>) -> io::Result<Router> {
 
 	let layers = layers
 		.sensitive_headers([header::AUTHORIZATION])
-		.sensitive_request_headers([HeaderName::from_static("x-forwarded-for")].into())
 		.layer(axum::middleware::from_fn_with_state(Arc::clone(server), request::spawn))
 		.layer(
 			TraceLayer::new_for_http()