auth: don't trust clients too much - only trust the *last* IP in the X-Forwarded-For header The X-Forwarded-For header contains a list of IP addresses, where each proxy server appends the IP they see their request coming from. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For . Trusting the *first* IP in HTTP_X_FORWARDED_FOR would allow clients to claim any IP, which could be used to bypass IP restrictions configured in Kallithea. Instead, only trust the last proxy in the chain, and thus only use the *last* IP in HTTP_X_FORWARDED_FOR. (In setups where more than last IP should be trusted, the last proxy server in the chain must be configured rewrite the header accordingly.)