The new trusted proxies feature in 8.7 does not properly use the supplied trusted proxies
Any config supplied to nginx['real_ip_trusted_addresses'] or gitlab_rails['trusted_proxies'] are passed into action dispatch as strings only instead of the IPAddr objects it is expecting.
As a result action dispatch is not able to filter out any of the trusted proxies from the x-forwarded-for header. Which can result in users appearing to be signed in from the proxy's IP.