Konrad,
Does your proxy also communicate with a content-inspection device, like for
anti-virus inspection of web content? If so, there may be a way to correlate.
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
inspection. I wrote a protocol analyzer for ICAP. This protocol is very
similar in syntax to HTTP, and it contains header fields (supported by most
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to
the original IP addresses of the local web client and the remote web server,
respectively. Please see my presentation from BroCon 2016, perhaps it
applies:
https://www.zeek.org/community/brocon2016.html
Mark