Add "get all IPs" function?

[adam-p]

This blog post mentions using all X-Forwarded-For/Forwarded IPs in a "deny if any" access control scheme: disallow if any of the XFF IPs are on a forbidden list. To participate in that scheme, we would need to return all IPs, rather than just one "real" IP.

Is that access controls scheme just hypothetical? Is supporting it outside our purview? Or should we add the functions necessary to enable it?

This wouldn't really be a "strategy". Probably just a function that takes r.Header and returns a slice of strings. Maybe only valid ones? Maybe not?