Need to check real IP address for proxy deployments or document behaviour

[vmsh0]

Checking the X-Forwarded-For header field for IP address filtering here might not be enough for some deployments.

E.g.

• The bot is bind on 0.0.0.0 and an appropriate firewall rule is not used
• The bot is bind on a public Internet IP address to which a different server forwards Telegram packets and an appropriate firewall rule is not used

The exemplified use cases are (hopefully) unusual but still very possible, especially in testing environments. In each of these cases, one could easily impersonate Telegram by sending HTTP requests to the server's public IP address and forging the X-Forwarded-For header field.
Although this does seem more like a IT administration issue than an aiogram issue, I think this should at least be documented, since a developer (especially one that's less-then-savvy with computer networks) could legitimately presume that the IP address filtering functionality would provide complete security against such attacks. I could also imagine larger deployments in which the above presumptions could be true for performance reasons.

If you are also considering a hard fix, here are some ideas:

• Add default logic to presume that non-HTTPS deployments should only be local (and from a local IP address), only allow a different behavior if explicitly enabled (secure by default, no need to break code compatibility)
• Change the IP address filtering option to force the developer to explicitly state what should be in the X-Forwarded-For HTTP header field instead of determining it through the current logic (secure by updating bot code, probably breaks code compatibility)