diff --git a/route/access_rules.go b/route/access_rules.go
index ba2002d28..4b73108f7 100644
--- a/route/access_rules.go
+++ b/route/access_rules.go
@@ -44,16 +44,14 @@ func (t *Target) AccessDeniedHTTP(r *http.Request) bool {
 		// https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-for
 		// See lengthy github discussion for more background: https://github.com/fabiolb/fabio/pull/449
 		for _, xip := range strings.Split(xff, ",") {
-			// ensure we only get the ip string
 			xip = strings.TrimSpace(xip)
-			// only continue if xip differs from host
 			if xip == host {
 				continue
 			}
 			if ip = net.ParseIP(xip); ip == nil {
 				log.Printf("[WARN] failed to parse xff address %s", xip)
+				continue
 			}
-			// check xff source and return if denied
 			if t.denyByIP(ip) {
 				return true
 			}