* Use the first X_FORWARDED_FOR value if there are multiple proxies in the

  path. Fixes #5.

3 files changed, 8 insertions, 3 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 98b82d9..5606bce 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -5,6 +5,8 @@ Release 2.1 (**dev**)
 =====================
 * Extract Route creation into separate method in Mapper.  Subclasses of Route
   can be created by Mappers now.
+* Use the first X_FORWARDED_FOR value if there are multiple proxies in the
+  path. Fixes #5.
 
 Release 2.0 (November 17, 2013)
 ===============================
diff --git a/routes/__init__.py b/routes/__init__.py
index ae9a21b..76c19fa 100644
--- a/routes/__init__.py
+++ b/routes/__init__.py
@@ -60,7 +60,10 @@ class _RequestConfig(object):
             pass
 
         if 'HTTP_X_FORWARDED_HOST' in environ:
-            self.__shared_state.host = environ['HTTP_X_FORWARDED_HOST']
+            # Apache will add multiple comma separated values to
+            # X-Forwarded-Host if there are multiple reverse proxies
+            self.__shared_state.host = \
+                environ['HTTP_X_FORWARDED_HOST'].split(', ', 1)[0]
         elif 'HTTP_HOST' in environ:
             self.__shared_state.host = environ['HTTP_HOST']
         else:
diff --git a/routes/util.py b/routes/util.py
index 738d002..5b3fae1 100644
--- a/routes/util.py
+++ b/routes/util.py
@@ -460,12 +460,12 @@ def cache_hostinfo(environ):
     """
     hostinfo = {}
     if environ.get('HTTPS') or environ.get('wsgi.url_scheme') == 'https' \
-       or environ.get('HTTP_X_FORWARDED_PROTO') == 'https':
+       or 'https' in environ.get('HTTP_X_FORWARDED_PROTO', "").split(', '):
         hostinfo['protocol'] = 'https'
     else:
         hostinfo['protocol'] = 'http'
     if environ.get('HTTP_X_FORWARDED_HOST'):
-        hostinfo['host'] = environ['HTTP_X_FORWARDED_HOST']
+        hostinfo['host'] = environ['HTTP_X_FORWARDED_HOST'].split(', ', 1)[0]
     elif environ.get('HTTP_HOST'):
         hostinfo['host'] = environ['HTTP_HOST']
     else: