I am struggling with this, too.
I have a Debian server with Apache 2.4 vHosts and one of these vHosts is the Discourse Docker container. On Apache the mod_remoteip is enabled (there was no mod_extract_forwarded), but without any configuration options. The vHost config is pretty simple:
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /.well-known !
ProxyPass / http://localhost:8083/
ProxyPassReverse / http://localhost:8083/
8083 is the exposed http port of the Discourse Docker container.
That’s it pretty much.
I see the different visitors (by IP) in the statistics created with the Apache access.log and, more important, I also see different last IPs for the users (this was a simple check for me). So it seems to be that the IP addresses of the visitors are exposed through the Apache proxy to Discourse. This was already the case without mod_remoteip turned on, which I only did some days agao.
Anyway, I am having trouble again now. Some crawler or DoS attack is running on our server with an IPv4 from Krakau, Poland. It is generating a lot of 429 errors. That’s okay for me, but all other visitors also get these errors.
Is that also the case? So when the connection limit is reached everybody gets an error? Or per IP?
Is something missing in my configuration or can I improve/tune it? We were having problems with the Claudebot some weeks and also some days ago, so maybe the limit needs to be lifted up a bit.
Thanks and greetings,
Roi