Wrong order of IPs in X-Forwarded-For header
In lib/cptools.py, the reference http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/ (this article is ~ 8 years old) is stated as the recipe for obtaining the client's IP from the X-Forwarded-For header (it uses the last entry in the ", "-separated list).
Apache, however, uses another order of IPs. The article at http://en.wikipedia.org/wiki/X-Forwarded-For describes the same order that Apache uses.
In our setup, e.g., the console log always shows the IP of our apache proxy server.