As an aside, is anyone talking about seriously using this for access
control? We've established that using X-F-F is a bad idea for that, in
fact, I'd say that even known REMOTE_ADDR based auth is a bad idea, so
why does it matter whether it is "trustworthy"?
Anyway - I use X-F-F for IP geolocatio
Since there seems to be two use cases, might I suggest forking the
secondary use case into a separate middleware class?
Whether or not the trusted reverse proxy scenario is more common
(though I believe it is), it's best to avoid breaking existing
functionality, especially when the SetRemoteAddrF
