diff --git a/internal/protection/http/http.go b/internal/protection/http/http.go
index 7994e28b..33b2b548 100644
--- a/internal/protection/http/http.go
+++ b/internal/protection/http/http.go
@@ -301,6 +301,7 @@ func ClientIP(remoteAddr string, headers http.Header, prioritizedIPHeader string
 	check := func(value string) net.IP {
 		for _, ip := range strings.Split(value, ",") {
 			ipStr := strings.Trim(ip, " ")
+			ipStr, _ = splitHostPort(ipStr)
 			ip := net.ParseIP(ipStr)
 			if ip == nil {
 				return nil
@@ -344,7 +345,8 @@ func ClientIP(remoteAddr string, headers http.Header, prioritizedIPHeader string
 			return ip
 		}
 	}
-	remoteIPStr, _ := splitHostPort(remoteAddr) // FIXME: replace by net.SplitHostPort?
+
+	remoteIPStr, _ := splitHostPort(remoteAddr)
 	if remoteIPStr == "" {
 		if privateIP != nil {
 			return privateIP
diff --git a/internal/protection/http/http_test.go b/internal/protection/http/http_test.go
index 8e4467eb..8489eb21 100644
--- a/internal/protection/http/http_test.go
+++ b/internal/protection/http/http_test.go
@@ -277,6 +277,14 @@ func TestGetClientIP(t *testing.T) {
 					"X-Forwarded-For": RandPrivateIPv4().String() + "," + RandPrivateIPv4().String() + "," + globalIP.String() + "," + RandPrivateIPv4().String(),
 				},
 			},
+
+			{
+				expected:   "152.23.231.25",
+				remoteAddr: "127.0.0.1",
+				extraHeaders: map[string]string{
+					"X-Forwarded-For": "127.0.0.1, 152.23.231.25:98746, 10.1.2.3, 152.23.231.29, 8.8.8.8",
+				},
+			},
 		} {
 			tc := tc
 			t.Run(tc.expected, func(t *testing.T) {