diff --git a/django/middleware/http.py b/django/middleware/http.py index 78e066c67b2..71cdf7aa5dd 100644 --- a/django/middleware/http.py +++ b/django/middleware/http.py @@ -54,8 +54,7 @@ class SetRemoteAddrFromForwardedFor(object): except KeyError: return None else: - # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. - # Take just the last one. - # See http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/ - real_ip = real_ip.split(",")[-1].strip() + # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The + # client's IP will be the first one. + real_ip = real_ip.split(",")[0].strip() request.META['REMOTE_ADDR'] = real_ip