How do I get the correct IP from HTTP_X_FORWARDED_FOR if it contains multiple IP Addresses?

According to this, the format of X-Forwarded-For HTTP header is:

X-Forwarded-For: client1, proxy1, proxy2, ...

So the IP address of the client that you want should be the first one in the list

A further note on the reliability subject:

Anyone can forge HTTP_X_FORWARDED_FOR by using a tool such as the Firefox plugin "Tamper Data" or their own local proxy (e.g. Privoxy). This means that the entire string might be fake, and REMOTE_ADDR is the actual original host. It might also mean that the first "client1" address is faked, and then the client connected through a proxy, resulting in proxy1 being the client's IP address and REMOTE_ADDR being the single proxy used.

If you are looking to deny access based on IP, I would suggest checking every IP address in the XFF header as well as REMOTE_ADDR.

If you're looking to grant access based on the region of an IP, I'd suggest allowing access only if XFF is blank and the IP is from the proper area.

As Mastermind already noted, however, there are proxies which will hide the chain of proxies. For instance, the Tor network will make a request appear as if it came from the final proxy machine, rather than the original IP. Anonymizing proxies will often claim they are forwarding for the same IP as reported in REMOTE_ADDR.

IP based filtering is generally a pretty crude, last-resort mechanism of access control.

I asked some time ago a very similar question.

Getting the client IP address: REMOTE_ADDR, HTTP_X_FORWARDED_FOR, what else could be useful?

As correctly pointed out, you can take the first value considering it to be the client's IP address. But it may as well be company gateway IP.

And anonymous proxies will wipe out information in this header anyway, so it is useful but not reliable.