Tvheadend

I have set up HA-proxy to be able to stream any content from anywhere, without complicating the setup with vpn clients an such.
I do have vpn but all the clients does not support it or is a hassle to set up, so keep that option not an option.
On travels i use android tv with kodi and thveadend pvr ( HTSP )
In my home i have set up paswordless access, and from anywhere else i have password access.
To benefit from this im using the option "PROXY protocol & X-Forwarded-For:" along with haproxys option forwardfor to ge the client ip.

If i dont use X-Client-IP the source will be my internal haproxy seeing it as local network and the user will not need to authenticate, ie the headend server is wide open...
Therefor im useing the client ip to determen the access control.
This is not a critical issue as i have ssl termination on the proxy, but it is disturbing.
As im unaware how the HTSP protocol works and set to plaintext auth i fel unsecure... Is this a critical issue or not?

The bug:
In this setup, i can only have plaintext authentication, digest authentication just sends 401 back to the client without a http auth request.

Thvhedend settings,
user * allowed networks 192.168.0.0/16 no password
user user1 allowed networks 0.0.0.0/0 with password
user user2 allowed networks 0.0.0.0/0 with password
...

working with ONLY plaintext authentication set ( digest and plain, does not work )

HAproxy settings,
defaults
mode http
option forwardfor except 127.0.0.0/8

frontend http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

frontend https
bind *:443 ssl crt /valid/certificate.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }

backend tv_ssl
server tv 192.168.1.11:9981 check