Replies: 0
This plugin makes an incorrect assumption: X-Forwarded-For only ever contains one IP address. However, it’s standard use is that each proxy/gateway appends the IP address of the requesting proxy/gateway/end-user to the end of the list. Like all HTTP headers, this list is represented as a comma separated list.
E.g. X-Forwarded-For: 1.2.3.4, ::1, 127.0.0.1, 4.3.2.1
Which one is the user’s actual IP address and which is just a proxy server in the chain? … who knows. Localhost and loopback addresses can safely be discarded. This is just a server talking to itself. Other that that, I’m not sure what the best way for cleaning up this header to “get the real IP address” as the function says.