The HTTPRequest.remote_ip field is intended to contain a trustworthy equivalent of the TCP-level remote address, so it accepts only a single X-Forwarded-For hop, and only when configured to do so. For some purposes (e.g. geolocation), it is useful to take whatever IP address the client claims to be using even through a chain of untrusted proxies. There should be some method to return the first public IP address from X-Forwarded-For.