Description: Use the last value from the X-Forwarded-For header, which
 is not in RPAFproxy_ips as the client IP, falling back to the first one
 if they are all known proxies.
Author: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>

---
 mod_rpaf-2.0.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/mod_rpaf-2.0.c
+++ b/mod_rpaf-2.0.c
@@ -154,6 +154,16 @@
     return APR_SUCCESS;
 }
 
+static char* last_not_in_array(apr_array_header_t *forwarded_for,
+                               apr_array_header_t *proxy_ips) {
+    int i;
+    for (i = (forwarded_for->nelts)-1; i > 0; i--) {
+	if (!is_in_array(((char **)forwarded_for->elts)[i], proxy_ips))
+           break;
+    }
+    return ((char **)forwarded_for->elts)[i];
+}
+
 static int change_remote_ip(request_rec *r) {
     const char *fwdvalue;
     char *val;
@@ -185,7 +195,7 @@
             rcr->old_ip = apr_pstrdup(r->connection->pool, r->connection->remote_ip);
             rcr->r = r;
             apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
-            r->connection->remote_ip = apr_pstrdup(r->connection->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
+            r->connection->remote_ip = apr_pstrdup(r->connection->pool, last_not_in_array(arr, cfg->proxy_ips));
             r->connection->remote_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(r->connection->remote_ip);
             apr_sockaddr_t *tmpsa;
             int ret = apr_sockaddr_info_get(&tmpsa, r->connection->remote_ip, APR_UNSPEC, r->connection->remote_addr->port, 0, r->connection->remote_addr->pool);